Nextel security glitch nipped in the bud

[InfoSec News <isn () C4I ORG>]

http://www.theregister.co.uk/content/6/13349.html

By: Thomas C Greene in Washington
Posted: 18/09/2000 at 23:58 GMT

Register reader Mike Koper alerted us to a security flaw in cellular
service provider Nextel Communications' on-line Account Manager Friday
which would have enabled users to access other customers' account
details.

Koper's discovery is of a class that plagues many similar on-line
services, where logging in generates a URL to a user's records. Often,
the user's account number will appear in the URL, and by manipulating
it with substitute numbers, one can easily access other accounts.
Sometimes merely viewing the login page source-code will give a
would-be intruder enough information to guess how to manipulate the
URL.

It would have been possible to abuse the Nextel Account Manager to add
a newly-purchased phone to another customer's account, change the
Account Manager password so the account owner is blocked, close an
existing account, change a user's calling options and the like.

It would also be possible to stalk a Nextel cellular customer and
track their phone calls, essentially conducting an unauthorised trap
and trace, Koper notes. So long as the victim's name, mobile phone
number and address are known to the stalker, one could "call Customer
Care and give them the [victim's] info, and then ask what the account
number is because you don't have your bill in front of you."

"Once you have the account number, you could start checking their
bills on-line and see who they're calling, shut down their phone and
so on," Koper notes.

Fortunately, Nextel responded swiftly to the news Friday and disabled
the link on their home page to the Account Manager while they set
about making repairs. (And yes, typing in the URL would still have
brought the page up. This was a reasonable gamble by Nextel since we
wouldn't have gone to press until they'd bunged the hole.)

"We were glad to have this brought to our attention," Nextel Vice
President for Corporate Communications Ben Banta told The Register.
"Fortunately, there have been no complaints [from customers]," he
noted.

The hole was reported and action taken before any customer accounts
were compromised, Banta said. Customer Koper appears to have been the
first Nextel Account Manager user to notice the glitch.

The de-bugged system got its final check and went back on line Monday
evening. The company is "confident" in its repairs, Banta assured us.

Nextel's handling of the glitch deserves recognition. It's not unusual
for companies to spin their way out of this sort of news in an effort
to maintain consumer confidence at the expense of the truth. But we
reckon consumers respect a forthright admission of the facts, however
unpleasant, followed by a swift undertaking to correct the problem.
It's reassuring to encounter one company, at least, that would tend to
agree.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".