Pc-to-Phone vulnerability - broken by design

["Arthur Hagen" <art () broomstick com>]

Dear Sirs,

This is to report a security vulnerability in DeltaThree's Pc-To-Phone
product, version 3.0.3 (latest version), and possibly earlier versions.
This security flaw was first reported to DeltaThree/iConnectHere on October
3, 2001, where I told the company about the security flaw, how it could be
fixed, and that I expected a confirmation of the problem within 7 days, and
that I would disclose the nature of the security flaw to the public after 21
days.

This is the part of my email contacting DeltaThree/iConnectHere where I
specified the problem:

> Both the account number AND
> password is stored in a file "temp.html" in the PC to Phone install
> directory, which is world readable.  Any user on a multiuser-system
> can look up the account number and password of any currently logged
> in user (or the last user in case of a program/system crash)!
> The same goes for the log and PhoneBook folders, which are *shared*
> among all users on a system.
> The program *must* be changed to use "%APPDATA%\PC to Phone\"
> or similar instead of the install dir for sensitive data
> (temp.html, log and PhoneBook).

Yesterday, after contacting the Technical VP of DeltaThree, Mark Gazit (who
should be well known to BugTraq), I got the following answer from the
company:

--- cut here ---
Dear Mr. Hagen,

I am the Product Manager for PC2Phone, and I wanted you to know that I
received your e-mail and that I sincerely thank you for drawing this
issue to our attention.

deltathree has rallied around solving this issue, and is committed to
providing a comprehensive and expedient solution.  To update you on our
progress, it appears that this bug cannot be addressed by a quick hot
fix; we will need to do some significant development work.  We have
adjusted our development priorities accordingly and are committed to
releasing a new version of PC2Phone in the upcoming quarter.

Based on your e-mail, we will have decided to (just this afternoon)
provide different dialers for multi-user and single-user/secure systems.
In the latter, the user will be able to store neither the account nor
the password, thus mitigating the potential security issue you
identified.  In the multi-user system, we will ensure that all data is
properly secured.

On behalf of all of deltathree and iConnectHere's customers, I thank you
for bringing this to our attention.  Based on user feedback, we are able
to offer ever-improving products and services, and we sincerely
appreciate this opportunity to serve you better.

Sincerely,

Jennifer Alexander
Product Manager, Access Devices
jennifera () deltathree com
212-500-4855
--- cut here ---


As PC-to-Phone is a popular service, and many users may not want others to
see their account details (including account passwords usable for billing
purposes!) and log of phone calls, I feel that it's appropriate that the
security flaw now be made public, so people can take necessary precautions
like installing the program in a secure directory.
Until a new version is available next quarter, it may be in the public's
best interest to know.

Regards,
--
*Art