USPS Online Bill Pay - Cleartext Password Leakage

From: Matthew Dent (dentmat_private)
Date: Fri Jan 18 2002 - 20:52:48 PST

Next message: Andrew Griffiths: "Maelstrom 1.4.3 abartity file overwrite"

Previous message: Mandrake Linux Security Team: "MDKSA-2002:007 - at update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

AFFECTED:

Users of USPS Online BillPay Service.  It is unknown
whether other checkfree portals are vulnerable to the
same problem.

OVERVIEW:

Failed username/password results in plain-text return
of submitted password.  If the USERNAME was the
incorrectly typed piece, this will result in a
plain-text version of the user's password to be
retrievable using the 'VIEW SOURCE' browser option.

DESCRIPTION:

The USPS Online BillPay service utilizes a
username/password combination for access to their
service.

Users enter their username/password to gain access to
their account.

If a user mistypes the username or password, a
pre-filled out form is returned to the user which
INCLUDES the password that was entered on attempt.


IMPACT:

If the user mistyped the username but correctly types
the password, the plain-text password is returned to
the browser and is viewable by using the back button
and the "view source" option of the browser.


SOLUTION:

   END-USER

The only known workaround is to configure the browser
to not cache pages at all.  This will prevent the
ability to use the "back" button, however, if the
returned page is on the screen, using "view source"
may still display the information.

   VENDOR

Re-code the application to not return the password in
the "login-failed" form that is displayed.  This
should be a relatively easy solution.



VENDOR NOTIFICATION

USPS BillPay was first notified 1/1/2002 and given a
"respond by" deadline of 1/17/2002.  This notification
occured from within their online customer care
interface.  Complete and accurate contact information
was included.

When no response was obtained, a second notification
was sent on 1/16/2002 with an extension until 00:00
1/19/2002 -- at which time this information would be
posted to BUGTRAQ.  The original message (including
complete contact information) was included.


VENDOR RESPONSE:

None to date.


Matthew Dent
dentmat_private

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

Next message: Andrew Griffiths: "Maelstrom 1.4.3 abartity file overwrite"
Previous message: Mandrake Linux Security Team: "MDKSA-2002:007 - at update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jan 19 2002 - 13:52:09 PST