Orange Problems, EE Problems, T-Mobile Problems - View topic - Wanadoo Massive Security Failure - Orange Broadband, Orange Email, Orange Mobile Phones, EE Broadband, EE Mobile, EE Problems, www.eeproblems.co.uk

Orange Problems? T-Mobile Problems? EE Problems? Broadband Problems? Email problems? Slow speeds?

OVER 12,000 MEMBERS!

Author

Message

< Problems with other Wanadoo / Orange Connections? ~ Wanadoo Massive Security Failure

Gammarays

Posted: Sat May 13, 2006 10:15 pm

Joined: 13 May 2006 Posts: 2

I'll post here what i've posted elsewhere im sure it will be of interest.

I thought that it may be of interest for people to know that one of
the UK's leading Internet Service Providers, Wanadoo (formerly Freeserve)
is suffering from a serious yet very simple security flaw that exposes the
account information of many of its customers.

The problem that allows this is a simple and fairly common
vulnerability, index browsing that exists in their account recovery system
web servers. The web servers have been incorrectly configured allowing the
user to view the contents of an entire folder instead of just an index web page,
ex: index.htm or index.php and as this particular system relies on unique
undisclosed filenames to stop users retrieving each others accounts this simple
flaw proves to be far more dangerous.

This vulnerability has existed for no less than 2 years and has remained
unnoticed and unresolved. The information is easily accessible to any user
with a web browser(granny Higgins could do it) and reveals the Real Name,
Username,Password,E-mail Address and Web space sub domain of the listed customers.

Accessing this information (to my knowledge) is not even illegal as the web
servers it's stored on do not challenge you for authentication when accessing it.
I feel that any company dealing with technology at this level should be far more
aware of security and yet it seems that it has been grossly neglected at the expense
of the customer. If an ISP is making mistakes of this magnitude how can any of
its users ever hope to be safe?

Below are the links that give access to the aforementioned servers. I do this as
a matter of making it public knowledge and forcing prompt action in fixing the issue,
so please anyone thinking of abusing it show some restraint.

REMOVED LINKS UNTIL VERIFIED WITH WANADDO - edit by Admin

edit by admin:

LINKS VERIFIED - Please read through all of this post - IMPORTANT

-Gammarays

OrangeProblems

Posted: Sat May 13, 2006 10:15 pm

Full information on how to change your broadband provider here. OrangeProblems.co.uk

davesmeg

Posted: Sun May 14, 2006 8:27 pm

Joined: 02 May 2006 Posts: 38

That's a big security hole.
Glad the link was removed from a public forum even though I'd liked to have a look to see if my details were correct.

_________________
No!
No, no, please, no!
I don't want to be Dwane Dibbley!

http://davesmeg.onestop.net

30111987

Posted: Mon May 15, 2006 7:59 am

Joined: 08 Apr 2006 Posts: 346 Location: Scotland

that is a very basic security mistake!

_________________
Free Mobile Phone Wallpapers

admin

Posted: Tue May 16, 2006 12:13 pm

Site Admin Joined: 07 Apr 2006 Posts: 784 Location: United Kingdom

REGARDING SECURITY ISSUE

I have contacted Wanadoo PR today - unfortunately had to leave a message on the answerphone requesting that they call me back!

The links have been removed but as yet I cannot confirm that the links are real Wanadoo customer information.

Hopefully, Wanadoo will call me back at some point today to either confirm or dismiss these links and information as theirs.

As pointed out above, if it is a security flaw, it is a VERY BASIC ONE and so I am not yet convinced this is Wanadoo's information.

If these links are Wanadoo's, then it is a breach of the Data Protection Act - which has its own legal implications...

I shall post back here and keep all up to date as soon as I hear from Wanadoo.

K

OrangeProblems

Posted: Tue May 16, 2006 12:13 pm

Full information on how to change your broadband provider here. OrangeProblems.co.uk

admin

Posted: Tue May 16, 2006 2:01 pm

Site Admin Joined: 07 Apr 2006 Posts: 784 Location: United Kingdom

Have emailed Wanadoo with the links that were posted.

The pages are now protected!

Oh how quickly they react when they could be in trouble themselves!

Gammarays - Please could you contact me at your earliest convenience - I have emailed you.

I looked into the files that were posted and... I hate to say it... YES they definitely appeared to be customer details which allowed me to access email accounts and data that these email accounts had within them.

Fortunately, I am not of a criminal mind.

All appeared to be dial-up accounts - but... many of these accounts may have changed to broadband and kept the same access details.

Not too bad you may say... Well,... think about this... Does your bank use your Wanadoo email address? Does ebay use your Wanadoo email address? Does PayPal use your Wanadoo email address? All of these details are accessible if somebody has access to your email username and password...

The affected customers should be warned as anybody with hard copies of these pages can still access personal information. PASSWORDS SHOULD BE CHANGED

admin

Posted: Tue May 16, 2006 6:31 pm

Site Admin Joined: 07 Apr 2006 Posts: 784 Location: United Kingdom

Just to emphasise the importance of this security issue, screenshots of the information that was available are below (obviously with sensitive information obfuscated).

Also, note that this was affecting up to 20,000 Wanadoo customers!

And the files contained:

davesmeg

Posted: Tue May 16, 2006 9:22 pm

Joined: 02 May 2006 Posts: 38

They do look like Dialup Setup scripts. Shocked

_________________
No!
No, no, please, no!
I don't want to be Dwane Dibbley!

http://davesmeg.onestop.net

admin

Posted: Tue May 16, 2006 10:48 pm

Site Admin Joined: 07 Apr 2006 Posts: 784 Location: United Kingdom

Quote:

They do look like Dialup Setup scripts

That's exactly what they are... And how many of these customers have upgraded to broadband since these files were made? And probably kept the same username and password?

As stated above, there were over 20,000 customer files which were accessible to anybody...

A complete breach of the Data Protection Act... Considering the original message poster, Gammarays, had contacted Wanadoo previously and warned them about this flaw. And Wanadoo did not take any action.

They have now...

Although Wanadoo have closed off the pages, the files are still accessible...

At the moment, and fortunately for the customers I am of a non-corrupt nature, I have the details to 6,986 Wanadoo customer usernames, passwords and domain names... All accessed AFTER they closed off the pages...

If anyone has hard copies of the original pages, they will still be able to access customer login, username, password and email details.

I would strongly advise anybody with a Wanadoo account to change their password!

Hopefully, nobody of a corrupt nature has all these customer details, but if they do, it will take them a long time to get through them all but could be potentially very profitable...

Consider this...

You bank online. Your bank has your Wanadoo email address. Your security details for accessing your online bank are within emails in your inbox.

You use e-bay. E-bay has your Wanadoo email address. Your security details for accessing E-bay are within emails in your inbox.

You use PayPal. PayPal has your Wanadoo email address. Your security details for accessing PayPal are within emails in your inbox.

You have an online business. You forward your business emails through your Wanadoo account.

By having access to your email account, all of teh above usernames and passwords can be changed giving the unauthorised user access to your money!

I feel this is an issue of utmost importance. In that respect, I have contacted a national newspaper and BBC Newsdesk and I am waiting for a reply back from the latter.

It is important that customers are made aware of this so that they can take the necessary measures to protect their accounts.

Wanadoo PR have told me that they will call me tomorrow (Wednesday 17 May 2006) to update me on this issue so that I can post back...

In the meantime, if Wanadoo are reading this... Take note:

Your customer accounts system, at least the 20,000 accounts emailed to you today, is still vulnerable. Please take measures to protect these highly sensitive files.

admin

Posted: Wed May 17, 2006 7:22 pm

Site Admin Joined: 07 Apr 2006 Posts: 784 Location: United Kingdom

Still waiting for Wanadoo PR to get back to me!

Now there's a thing... Waiting for a promised call back from Wanadoo!

l33tpcgamer

Posted: Wed May 17, 2006 8:23 pm

Joined: 28 Apr 2006 Posts: 50 Location: birkenhead

hi

Sounds like Homer Simpson got a job working for wanadoo.

It is worrying that a big company like wanadoo would make a basic mistake.

I would not be suprised if Wanadoo pretended it never happened.

I have changed my password to be on the safeside.

Hopefully wanadoo will admit that they messed up.

_________________
l33tpcgamer

Gammarays

Posted: Wed May 17, 2006 8:36 pm

Joined: 13 May 2006 Posts: 2

Yes, I wouldn't be in the least bit suprised if they do try and pretend it never happend but if they do that then how the hell are their customers gonna know to change their details.

I've seen no notice on the website and I've not heard of them sending emails out to all the people who might be affected. I think by the fact they didn't return an important phone call shows a great lack of commitment towards really solving this thing.

Be nice to see them take a change in stance on this shortly.

-Gammarays

l33tpcgamer

Posted: Thu May 18, 2006 9:28 am

Joined: 28 Apr 2006 Posts: 50 Location: birkenhead

I have found a news artical regarding the issue here.

http://www.theregister.co.uk/2...rity_flap/

I would not be suprised if admin is still waiting on wanadoo pr to call back.

_________________
l33tpcgamer

AdamV

Posted: Thu May 18, 2006 9:46 am

Joined: 18 May 2006 Posts: 2

I became aware of this after a posting by Gammarays in another forum at the weekend. The post was pulled pending a response from Wanadoo but has now been restored to allow open discussion.

I emailed Wanadoo (well, used a form on their website - they don't actually give a menaingful address for reporting these things) on Saturday and have not yet received a reply. The data which was available for several days since this disclosure, and presumably has been for much time previously.

The data was held on servers in Portugal but related to UK accounts.

NOTE: this affects ALL flavours of Wanadoo, including old Freeserve and FSNet accounts. Most of the data seemed to relate to older accounts pre-2005 but as stated above, many people will have never changed their password.

This is a very serious issue which Wanadoo have completely failed to respond to me about. I am advising my clients to change their passwords immediately and then to change ISP - who knows which other servers are still vulnerable?

There seems to be nothing on Wanadoo's website in their "safety online" section nor their press releases, but I telephoned and they did admit to the issue having been there. They said they would be emailing (d'oh!) or writing to those affected - as pointed out already, this is a large number of people (I know, I visited the ins file pages in question). Interestingly, they pointed out that it was public as it was posted here, although they were a little less clear about how 'official' this site is or whether anyone representing Wanadoo had added any information.

Thanks to GammaRays for letting the world know (albeit letting the hackers, spammers and phishers know at the same time, but never mind, it's sorted now)

_________________
Meteor IT - Technology Consulting and Training Services, Leeds

admin

Posted: Thu May 18, 2006 3:00 pm

Site Admin Joined: 07 Apr 2006 Posts: 784 Location: United Kingdom

Dear AdamV

Oh but it is not sorted...

The files (the .ins files) are still retrievable! So not quite sorted!

Wanadoo are fully aware of this site. This site is not, however, owned or maintained by Wanadoo.

admin

Posted: Thu May 18, 2006 3:19 pm

Site Admin Joined: 07 Apr 2006 Posts: 784 Location: United Kingdom

P.S.

I have contacted all National Newspapers with this story... I, like many others, believe that it is in the public interest to know of this security flaw.

However, none (other than The Register) have run with this story...

Perhaps Wanadoo spend too much money on advertising with these papers:

The Metro
The Sun
Daily Mail
Daily Mirror
The Daily Telegraph
Daily Express
The Independent
The Guardian
The Scotsman

I have also not yet received my promised phone call back from Wanadoo PR !!! Now there's a thing!

We'll see whether they actually do contact their customers as promised in an interview given with The Register

... I suppose WanadooProblems.co.uk could always get in touch with them... Well, 6986 of the 20,000 odd customers affected anyway!

K

All times are GMT

View next topic View previous topic Page 1 of 3 Goto page 1, 2, 3 Next OrangeProblems.co.uk Forum Index ~ Problems with other Wanadoo / Orange Connections?

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum