Re: verizon wireless website gaping privacy holes

["Gareth Owen" <gaz () gmx co uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I clicked on the URL which you typed with the sample session ID you
gave, and it brought up a menu.
I then clicked on View my recent usage, and it brings up the time
used in minutes at various times.
It also shows the customers phone number!!

I cant click view my bill, so what I am assuming is happening is even
when people have logged out you can
view their recent usage, but nothing else, but this exposes their
phone number !

I tried random session IDs and they gave similar results, except the
minutes used changed, and so did the phone
number. I think this is a major problem myself. Phone numbers could
be gathered for marketting etc etc.


Cheers
Gaz

- ----- Original Message ----- 
From: "Marc Slemko" <marcs () znep com>
To: <bugtraq () securityfocus com>
Sent: Sunday, September 02, 2001 2:36 AM
Subject: verizon wireless website gaping privacy holes


> Verizon Wireless (a fairly large US cell service provider) has a
> website.  One feature of that website allows you to access your
> account and do things such as view your bills and recent usage and
> modify your service.
>
> Cell phone bills are often very interesting things, since they
> contain names, addresses, and a complete record of calls placed and
> received, along with the approximate location the user was when the
> call was made.  I'm sure I'm not alone in expecting my provider to
> provide a reasonable level of privacy for this data.
>
> A typical URL used by this "my account" service is:
>
> https://www.app.airtouch.com/jstage/plsql/ec_navigation_wrapper.nav_
> frame_display?p_session_id=3346178&p_host=ACTION  
>
> Note the p_session_id parameter.  This is the only session
> identifier used.  They are assigned sequentially to each user as
> they login, and are valid until the user logs out or the session
> times out.  Obviously, this makes it trivial to access the sessions
> of other users by guessing the session ID.  Automated tools to grab
> this information in bulk as users login over time are also trivial.
>
> I notified Verizon Wireless about this on August 19th, telling them
> that if I did not receive a response within a week that at least
> indicates they are aware of the problem and are working on it, I
> would do whatever I could to ensure the public knows about they
> inexcusable ineptitude, and that verizon wireless customers can
> take whatever steps possible to protect themselves.  Verizon
> Wireless has not responded to me, nor have they fixed the problem.
>
> If you are a verizon wireless customer:
>
> 1. Do NOT use their online "My Account" feature.  If you do not
> login, then this vulnerability can not be used to hijack your
> session.
>
> 2. Contact them to let them know what you think of their complete
> lack of attention to the most basic security concepts involved with
> designing a web application.  I am evaluating other alternatives
> for cellular service.  
>
>
> Note that this application of theirs also appears to have other,
> potentially far more serious, security flaws.  Looking at the
> example URL given above, two alarm bells should go off; one because
> the session ID looks very weak.  I won't name the other, but it
> (not particular to verizon wireless) has been referenced on bugtraq
> before and is quite obvious.  I am not discussing the other
> potential hole both because a user can't protect themself against
> it (unlike the session ID bug) and because I can not verify if it
> is actually a hole or not for certain without potentially violating
> US laws.
>
> Companies need to get it through their heads that they must pay
> attention to the security of their online offerings.  If they can't
> do that, then they should just turn the site off and go home.  It
> is somewhat troubling that, even if a customer does have the
> technical knowledge required to check for basic security blunders
> on sites they use, they may be unable to do so in most countries
> without breaking the law.  The verizon session id bug is different
> in that I could test it using multiple accounts that I am
> authorized to access, without incurring any unauthorized access to
> the accounts of third party "innocents".

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO5KXFfN5Mv4vDZwQEQJuowCaAwmxWpkUDHYYuhYRS+D7PHbfHNQAoPM5
dFXoWPJcHehUSR+PEHKjR5hl
=tv1W
-----END PGP SIGNATURE-----