Bezeq, Israel Telco, allows resetting its home subscribers

[Baruch via Fulldisclosure <fulldisclosure () seclists org>]

Bezeq, Israel top telco, allows anyone from anywhere to supposedly reset the phone and internet line of any of its home 
subscribers, no questions asked.



 1.            Bezeq, a top Israeli Telco, provides internet services over its infrastructure 2.            Apparently 
Bezeq encourages its users to solve Internet connectivity failures by themselves 3.            Apparently Bezeq allows 
anyone in the world to reset any (some?) of its customers’ lines/phone numbers/modems and associated services 
(internet, telephony)!!!a.            Directly from Bezeq online web pages, and without asking for or requiring any 
authorization, checking, user name, login, captch'a etc!b.            The line/number being reset does not have to 
belong/be associated to the guy that is resetting it!!!!c.             Since there is no such check, anyone can go on 
the internet, from a computer or a smartphone, enter any of Bezeq phone numbers and cause a reset, which might perhaps 
result in severing the connection and the services on that line and take few tens of seconds to complete. 4.            
So, via Bezeq web pages that are available to both computers and smartphones,  anyone can:a.            Type-in the 
Bezeq phone number of anyone else, without any check or authentication or authorization, no Captch'a etcb.            
Bezeq web site doesn't request to for any login, user name, ID of any sort, nor for the one typing in the number nor 
for the number being enteredc.             If an internet service/modem is associated with this typed-in number, then 
clicking a button starts a process in the Bezeq infrastructure which presumably performs test to the typed phone number 
internet service with some sort of a reset to the line and/or equipment associated with it. this test/reset 
disrupts/severs the internet service to that number for several tens of seconds or more and the telephony.d.            
I do not know if in case the Bezeq number doesn't have a modem associated with it such process shall occur.i.           
   When this test and reset occurs the modem in the home is disconnected so it has no service for a while. Also, the 
phone in the home on which the test/reset is being done might ring. Internet service might be disrupted for 30-90 
seconds or so. The home modem and Bezeq infrastructure should re-connect automatically, re-synch or whatever. 5.        
    The way to do this is:a.            Go to:  http://www.bezeq.co.il/serviceandsupport/solutions/b.            You 
can switch to Arabic or Russian at the top left; or, using Google translate, follow these steps: c.             Click 
the “Sites can not be viewed” buttond.            In the next screen click “I made no change”e.            In the next 
screen click “No, for further testing”f.             In the next screen you are asked to enter the phone/line number 
that will be tested (and supposedly reset in this process). It says:“A check will now be made to locate the 
problem.Enter the phone number / Internet subscription number including a prefix (do not enter a mobile number)g.       
     Type a phone number of a Bezeq subscriber (9 digits that include 2 digits area code starting with 0, no country 
code, e.g. 0xxxxxxxx). Click to start the test/reset attempt of that phone number (if it has an internet 
modem/service).h.            You should get:i.              “The system performs a test on line 0xxxxxxxx. The test 
will be completed in about 90 seconds.”  (and counting down)j.             After it finishes you can re-initiate the 
test from the same page. You are asked: “Please check now Is it possible to surf the Internet?”k.            Click “No, 
you can not browse”l.              Perhaps the test is then performed again.



   

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/