|
|
|
|
| |
| IConnectHere.com is a popular IP telephony service provider that allows its users to manage their account from the web. There are several security problems with its account management system and authentication infrastructure that can lead to the compromise of the used UserID and Password. |
| |
Credit:
The information has been provided by Egemen Tas.
|
| |
By default, if a user connects to their web site to manage his/her account, the web server sets a cookie with the pattern:
Cookie:backup=UID=XXXXXXXX&FIRSTNAME=ABC &CURRENCY%5FSYMBOL=%24&PIN=XXXX&
AID=3&PROMOID=132&CURRENCYID=161 &PRICEPLAN=247&BANKED=0&STATUS=3 &LASTNA
ME=DEF&BALANCE=1097&PCTOPHONETYPEID=4 &EMAIL=xxx%40sample%2Eorg&LANGID=29&
ZONESYMBOL=EST;FVAL=XX5FGHY= A5BF6767ED3D51181F10508B11F4E1;FlatRate=STATUS
=%2D1;D3Box=FILESERVERIP= 213%2E137%2E73%2E160&FILESERVERDIR= ipost&MAILADDRE
SS=+&COOKIESTATUS=+
As seen above, this cookie is not encrypted while being stored on the client side and therefore it is not decrypted on server side.
Under Windows NT/2000 cookies are only accessible by the Administrator or currently logged in user who owns the cookie. However, under Windows 9X/ME it is world accessible.
Clearly, using the unencrypted cookie is an authentication weakness, because this cookie can be read by a third party who is currently sniffing the network ('Man in the Middle Attack'). Also, the PC-To-Phone client stores the userid and password as clear text in temp.html under the program files directory, and also transports this information in clear text which also leads to a possible Man in the Middle attack.
Many attack scenarios can be developed here, such as cookie session hijacking, etc.
Solution:
The vendor has been informed and is expected to provide a secure authentication infrastructure. Note that in general, cookies which contain sensitive information must be encrypted with a strong algorithm.
|
|
|
|
|
|
|
|
|
|
