-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I clicked on the URL which you typed with the sample session ID you gave, and it brought up a menu. I then clicked on View my recent usage, and it brings up the time used in minutes at various times. It also shows the customers phone number!! I cant click view my bill, so what I am assuming is happening is even when people have logged out you can view their recent usage, but nothing else, but this exposes their phone number ! I tried random session IDs and they gave similar results, except the minutes used changed, and so did the phone number. I think this is a major problem myself. Phone numbers could be gathered for marketting etc etc. Cheers Gaz - ----- Original Message ----- From: "Marc Slemko" <marcsat_private> To: <bugtraqat_private> Sent: Sunday, September 02, 2001 2:36 AM Subject: verizon wireless website gaping privacy holes > Verizon Wireless (a fairly large US cell service provider) has a > website. One feature of that website allows you to access your > account and do things such as view your bills and recent usage and > modify your service. > > Cell phone bills are often very interesting things, since they > contain names, addresses, and a complete record of calls placed and > received, along with the approximate location the user was when the > call was made. I'm sure I'm not alone in expecting my provider to > provide a reasonable level of privacy for this data. > > A typical URL used by this "my account" service is: > > https://www.app.airtouch.com/jstage/plsql/ec_navigation_wrapper.nav_ > frame_display?p_session_id=3346178&p_host=ACTION > > Note the p_session_id parameter. This is the only session > identifier used. They are assigned sequentially to each user as > they login, and are valid until the user logs out or the session > times out. Obviously, this makes it trivial to access the sessions > of other users by guessing the session ID. Automated tools to grab > this information in bulk as users login over time are also trivial. > > I notified Verizon Wireless about this on August 19th, telling them > that if I did not receive a response within a week that at least > indicates they are aware of the problem and are working on it, I > would do whatever I could to ensure the public knows about they > inexcusable ineptitude, and that verizon wireless customers can > take whatever steps possible to protect themselves. Verizon > Wireless has not responded to me, nor have they fixed the problem. > > If you are a verizon wireless customer: > > 1. Do NOT use their online "My Account" feature. If you do not > login, then this vulnerability can not be used to hijack your > session. > > 2. Contact them to let them know what you think of their complete > lack of attention to the most basic security concepts involved with > designing a web application. I am evaluating other alternatives > for cellular service. > > > Note that this application of theirs also appears to have other, > potentially far more serious, security flaws. Looking at the > example URL given above, two alarm bells should go off; one because > the session ID looks very weak. I won't name the other, but it > (not particular to verizon wireless) has been referenced on bugtraq > before and is quite obvious. I am not discussing the other > potential hole both because a user can't protect themself against > it (unlike the session ID bug) and because I can not verify if it > is actually a hole or not for certain without potentially violating > US laws. > > Companies need to get it through their heads that they must pay > attention to the security of their online offerings. If they can't > do that, then they should just turn the site off and go home. It > is somewhat troubling that, even if a customer does have the > technical knowledge required to check for basic security blunders > on sites they use, they may be unable to do so in most countries > without breaking the law. The verizon session id bug is different > in that I could test it using multiple accounts that I am > authorized to access, without incurring any unauthorized access to > the accounts of third party "innocents". -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO5KXFfN5Mv4vDZwQEQJuowCaAwmxWpkUDHYYuhYRS+D7PHbfHNQAoPM5 dFXoWPJcHehUSR+PEHKjR5hl =tv1W -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sun Sep 02 2001 - 22:10:25 PDT