|
|
|
|
| |
| PC-to-Phone is a popular service that allows PC users to call other PCs or Phones and make conversations with them. A security vulnerability in the product allows local users to see other users' account details (including account passwords usable for billing purposes) and log of phone calls. |
| |
Credit:
The information has been provided by Arthur Hagen.
|
| |
Vulnerable systems:
Pc-to-Phone version 3.0.3
Both the account number and password are stored in a file "temp.html" in the PC-to-Phone install directory, which is world readable. Any user on a multi-user system can look up the account number and password of any currently logged in user (or the last user in case of a program/system crash).
The same goes for the log and PhoneBook folders, which are shared among all users on a system.
Vendor response:
--- cut here ---
Dear Mr. Hagen,
I am the Product Manager for PC2Phone, and I wanted you to know that I received your e-mail and that I sincerely thank you for drawing this issue to our attention.
Deltathree has rallied around solving this issue, and is committed to providing a comprehensive and expedient solution. To update you on our progress, it appears that this bug cannot be addressed by a quick hot fix; we will need to do some significant development work. We have adjusted our development priorities accordingly and are committed to releasing a new version of PC2Phone in the upcoming quarter.
Based on your e-mail, we will have decided to (just this afternoon) provide different dialers for multi-user and single-user/secure systems. In the latter, the user will be able to store neither the account nor the password, thus mitigating the potential security issue you identified. In the multi-user system, we will ensure that all data is properly secured.
On behalf of all of Deltathree and iConnectHere's customers, I thank you for bringing this to our attention. Based on user feedback, we are able to offer ever-improving products and services, and we sincerely appreciate this opportunity to serve you better.
Sincerely,
Jennifer Alexander
Product Manager, Access Devices
jennifera@deltathree.com
--- cut here ---
|
|
|
|
|
