Verizon Wireless (a fairly large US cell service provider) has a website. One feature of that website allows you to access your account and do things such as view your bills and recent usage and modify your service. Cell phone bills are often very interesting things, since they contain names, addresses, and a complete record of calls placed and received, along with the approximate location the user was when the call was made. I'm sure I'm not alone in expecting my provider to provide a reasonable level of privacy for this data. A typical URL used by this "my account" service is: https://www.app.airtouch.com/jstage/plsql/ec_navigation_wrapper.nav_frame_display?p_session_id=3346178&p_host=ACTION Note the p_session_id parameter. This is the only session identifier used. They are assigned sequentially to each user as they login, and are valid until the user logs out or the session times out. Obviously, this makes it trivial to access the sessions of other users by guessing the session ID. Automated tools to grab this information in bulk as users login over time are also trivial. I notified Verizon Wireless about this on August 19th, telling them that if I did not receive a response within a week that at least indicates they are aware of the problem and are working on it, I would do whatever I could to ensure the public knows about they inexcusable ineptitude, and that verizon wireless customers can take whatever steps possible to protect themselves. Verizon Wireless has not responded to me, nor have they fixed the problem. If you are a verizon wireless customer: 1. Do NOT use their online "My Account" feature. If you do not login, then this vulnerability can not be used to hijack your session. 2. Contact them to let them know what you think of their complete lack of attention to the most basic security concepts involved with designing a web application. I am evaluating other alternatives for cellular service. Note that this application of theirs also appears to have other, potentially far more serious, security flaws. Looking at the example URL given above, two alarm bells should go off; one because the session ID looks very weak. I won't name the other, but it (not particular to verizon wireless) has been referenced on bugtraq before and is quite obvious. I am not discussing the other potential hole both because a user can't protect themself against it (unlike the session ID bug) and because I can not verify if it is actually a hole or not for certain without potentially violating US laws. Companies need to get it through their heads that they must pay attention to the security of their online offerings. If they can't do that, then they should just turn the site off and go home. It is somewhat troubling that, even if a customer does have the technical knowledge required to check for basic security blunders on sites they use, they may be unable to do so in most countries without breaking the law. The verizon session id bug is different in that I could test it using multiple accounts that I am authorized to access, without incurring any unauthorized access to the accounts of third party "innocents".
This archive was generated by hypermail 2b30 : Sun Sep 02 2001 - 11:44:44 PDT