Dear Sirs, This is to report a security vulnerability in DeltaThree's Pc-To-Phone product, version 3.0.3 (latest version), and possibly earlier versions. This security flaw was first reported to DeltaThree/iConnectHere on October 3, 2001, where I told the company about the security flaw, how it could be fixed, and that I expected a confirmation of the problem within 7 days, and that I would disclose the nature of the security flaw to the public after 21 days. This is the part of my email contacting DeltaThree/iConnectHere where I specified the problem: > Both the account number AND > password is stored in a file "temp.html" in the PC to Phone install > directory, which is world readable. Any user on a multiuser-system > can look up the account number and password of any currently logged > in user (or the last user in case of a program/system crash)! > The same goes for the log and PhoneBook folders, which are *shared* > among all users on a system. > The program *must* be changed to use "%APPDATA%\PC to Phone\" > or similar instead of the install dir for sensitive data > (temp.html, log and PhoneBook). Yesterday, after contacting the Technical VP of DeltaThree, Mark Gazit (who should be well known to BugTraq), I got the following answer from the company: --- cut here --- Dear Mr. Hagen, I am the Product Manager for PC2Phone, and I wanted you to know that I received your e-mail and that I sincerely thank you for drawing this issue to our attention. deltathree has rallied around solving this issue, and is committed to providing a comprehensive and expedient solution. To update you on our progress, it appears that this bug cannot be addressed by a quick hot fix; we will need to do some significant development work. We have adjusted our development priorities accordingly and are committed to releasing a new version of PC2Phone in the upcoming quarter. Based on your e-mail, we will have decided to (just this afternoon) provide different dialers for multi-user and single-user/secure systems. In the latter, the user will be able to store neither the account nor the password, thus mitigating the potential security issue you identified. In the multi-user system, we will ensure that all data is properly secured. On behalf of all of deltathree and iConnectHere's customers, I thank you for bringing this to our attention. Based on user feedback, we are able to offer ever-improving products and services, and we sincerely appreciate this opportunity to serve you better. Sincerely, Jennifer Alexander Product Manager, Access Devices jenniferaat_private 212-500-4855 --- cut here --- As PC-to-Phone is a popular service, and many users may not want others to see their account details (including account passwords usable for billing purposes!) and log of phone calls, I feel that it's appropriate that the security flaw now be made public, so people can take necessary precautions like installing the program in a secure directory. Until a new version is available next quarter, it may be in the public's best interest to know. Regards, -- *Art
This archive was generated by hypermail 2b30 : Thu Oct 25 2001 - 12:19:55 PDT