FC: Verizon Wireless website features gaping "my account" security hole

[Declan McCullagh <declan () well com>]

----- Forwarded message from Marc Slemko <marcs () znep com> -----

Date: Sat, 1 Sep 2001 18:36:20 -0700 (PDT)
From: Marc Slemko <marcs () znep com>
To: bugtraq () securityfocus com
Subject: verizon wireless website gaping privacy holes

Verizon Wireless (a fairly large US cell service provider) has a
website.  One feature of that website allows you to access your account
and do things such as view your bills and recent usage and modify your
service.

Cell phone bills are often very interesting things, since they contain
names, addresses, and a complete record of calls placed and received,
along with the approximate location the user was when the call was
made.  I'm sure I'm not alone in expecting my provider to provide a
reasonable level of privacy for this data.

A typical URL used by this "my account" service is:

https://www.app.airtouch.com/jstage/plsql/ec_navigation_wrapper.nav_frame_display?p_session_id=3346178&p_host=ACTION

Note the p_session_id parameter.  This is the only session identifier
used.  They are assigned sequentially to each user as they login, and are
valid until the user logs out or the session times out.  Obviously, this
makes it trivial to access the sessions of other users by guessing the
session ID.  Automated tools to grab this information in bulk as users
login over time are also trivial.

I notified Verizon Wireless about this on August 19th, telling them that
if I did not receive a response within a week that at least indicates they
are aware of the problem and are working on it, I would do whatever I
could to ensure the public knows about they inexcusable ineptitude, and
that verizon wireless customers can take whatever steps possible to
protect themselves.  Verizon Wireless has not responded to me, nor have
they fixed the problem.

If you are a verizon wireless customer:

1. Do NOT use their online "My Account" feature.  If you do not login,
then this vulnerability can not be used to hijack your session.

2. Contact them to let them know what you think of their complete lack of
attention to the most basic security concepts involved with designing a
web application.  I am evaluating other alternatives for cellular service.


Note that this application of theirs also appears to have other,
potentially far more serious, security flaws.  Looking at the example URL
given above, two alarm bells should go off; one because the session ID
looks very weak.  I won't name the other, but it (not particular to
verizon wireless) has been referenced on bugtraq before and is quite
obvious.  I am not discussing the other potential hole both because a user
can't protect themself against it (unlike the session ID bug) and because
I can not verify if it is actually a hole or not for certain without
potentially violating US laws.

Companies need to get it through their heads that they must pay attention
to the security of their online offerings.  If they can't do that, then
they should just turn the site off and go home.  It is somewhat troubling
that, even if a customer does have the technical knowledge required to
check for basic security blunders on sites they use, they may be unable to
do so in most countries without breaking the law.  The verizon session id
bug is different in that I could test it using multiple accounts that I am
authorized to access, without incurring any unauthorized access to the
accounts of third party "innocents".


----- End forwarded message -----




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------