I'll post here what i've posted elsewhere im sure it will be of interest.
I thought that it may be of interest for people to know that one of
the UK's leading Internet Service Providers, Wanadoo (formerly Freeserve)
is suffering from a serious yet very simple security flaw that exposes the
account information of many of its customers.
The problem that allows this is a simple and fairly common
vulnerability, index browsing that exists in their account recovery system
web servers. The web servers have been incorrectly configured allowing the
user to view the contents of an entire folder instead of just an index web page,
ex: index.htm or index.php and as this particular system relies on unique
undisclosed filenames to stop users retrieving each others accounts this simple
flaw proves to be far more dangerous.
This vulnerability has existed for no less than 2 years and has remained
unnoticed and unresolved. The information is easily accessible to any user
with a web browser(granny Higgins could do it) and reveals the Real Name,
Username,Password,E-mail Address and Web space sub domain of the listed customers.
Accessing this information (to my knowledge) is not even illegal as the web
servers it's stored on do not challenge you for authentication when accessing it.
I feel that any company dealing with technology at this level should be far more
aware of security and yet it seems that it has been grossly neglected at the expense
of the customer. If an ISP is making mistakes of this magnitude how can any of
its users ever hope to be safe?
Below are the links that give access to the aforementioned servers. I do this as
a matter of making it public knowledge and forcing prompt action in fixing the issue,
so please anyone thinking of abusing it show some restraint.
REMOVED LINKS UNTIL VERIFIED WITH WANADDO - edit by Admin
edit by admin:
LINKS VERIFIED - Please read through all of this post - IMPORTANT
Site AdminJoined: 07 Apr 2006Posts: 784Location: United Kingdom
Have emailed Wanadoo with the links that were posted.
The pages are now protected!
Oh how quickly they react when they could be in trouble themselves!
Gammarays - Please could you contact me at your earliest convenience - I have emailed you.
I looked into the files that were posted and... I hate to say it... YES they definitely appeared to be customer details which allowed me to access email accounts and data that these email accounts had within them.
Fortunately, I am not of a criminal mind.
All appeared to be dial-up accounts - but... many of these accounts may have changed to broadband and kept the same access details.
Not too bad you may say... Well,... think about this... Does your bank use your Wanadoo email address? Does ebay use your Wanadoo email address? Does PayPal use your Wanadoo email address? All of these details are accessible if somebody has access to your email username and password...
The affected customers should be warned as anybody with hard copies of these pages can still access personal information. PASSWORDS SHOULD BE CHANGED
Site AdminJoined: 07 Apr 2006Posts: 784Location: United Kingdom
They do look like Dialup Setup scripts
That's exactly what they are... And how many of these customers have upgraded to broadband since these files were made? And probably kept the same username and password?
As stated above, there were over 20,000 customer files which were accessible to anybody...
A complete breach of the Data Protection Act... Considering the original message poster, Gammarays, had contacted Wanadoo previously and warned them about this flaw. And Wanadoo did not take any action.
They have now...
Although Wanadoo have closed off the pages, the files are still accessible...
At the moment, and fortunately for the customers I am of a non-corrupt nature, I have the details to 6,986 Wanadoo customer usernames, passwords and domain names... All accessed AFTER they closed off the pages...
If anyone has hard copies of the original pages, they will still be able to access customer login, username, password and email details.
I would strongly advise anybody with a Wanadoo account to change their password!
Hopefully, nobody of a corrupt nature has all these customer details, but if they do, it will take them a long time to get through them all but could be potentially very profitable...
You bank online. Your bank has your Wanadoo email address. Your security details for accessing your online bank are within emails in your inbox.
You use e-bay. E-bay has your Wanadoo email address. Your security details for accessing E-bay are within emails in your inbox.
You use PayPal. PayPal has your Wanadoo email address. Your security details for accessing PayPal are within emails in your inbox.
You have an online business. You forward your business emails through your Wanadoo account.
By having access to your email account, all of teh above usernames and passwords can be changed giving the unauthorised user access to your money!
I feel this is an issue of utmost importance. In that respect, I have contacted a national newspaper and BBC Newsdesk and I am waiting for a reply back from the latter.
It is important that customers are made aware of this so that they can take the necessary measures to protect their accounts.
Wanadoo PR have told me that they will call me tomorrow (Wednesday 17 May 2006) to update me on this issue so that I can post back...
In the meantime, if Wanadoo are reading this... Take note:
Your customer accounts system, at least the 20,000 accounts emailed to you today, is still vulnerable. Please take measures to protect these highly sensitive files.
Yes, I wouldn't be in the least bit suprised if they do try and pretend it never happend but if they do that then how the hell are their customers gonna know to change their details.
I've seen no notice on the website and I've not heard of them sending emails out to all the people who might be affected. I think by the fact they didn't return an important phone call shows a great lack of commitment towards really solving this thing.
Be nice to see them take a change in stance on this shortly.
I became aware of this after a posting by Gammarays in another forum at the weekend. The post was pulled pending a response from Wanadoo but has now been restored to allow open discussion.
I emailed Wanadoo (well, used a form on their website - they don't actually give a menaingful address for reporting these things) on Saturday and have not yet received a reply. The data which was available for several days since this disclosure, and presumably has been for much time previously.
The data was held on servers in Portugal but related to UK accounts.
NOTE: this affects ALL flavours of Wanadoo, including old Freeserve and FSNet accounts. Most of the data seemed to relate to older accounts pre-2005 but as stated above, many people will have never changed their password.
This is a very serious issue which Wanadoo have completely failed to respond to me about. I am advising my clients to change their passwords immediately and then to change ISP - who knows which other servers are still vulnerable?
There seems to be nothing on Wanadoo's website in their "safety online" section nor their press releases, but I telephoned and they did admit to the issue having been there. They said they would be emailing (d'oh!) or writing to those affected - as pointed out already, this is a large number of people (I know, I visited the ins file pages in question). Interestingly, they pointed out that it was public as it was posted here, although they were a little less clear about how 'official' this site is or whether anyone representing Wanadoo had added any information.
Thanks to GammaRays for letting the world know (albeit letting the hackers, spammers and phishers know at the same time, but never mind, it's sorted now)
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum