Discovering Security Vulnerabilities and What To Do
20/09/2012 Article
window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-SSTZC704MH');
A little while ago a small web design company (E-rizon) I have dealings with called me when they stumbled upon a security vulnerability. In the beginning, it appeared to be incredibly serious. Over the years I have had a lot of conversations about Information Security Vulnerabilities and bless-em, they were really excited.
Aside from being proud they thought they had found a vulnerability. They hadn’t a clue what to do next. As their friendly information security expert (read geek) I was apparently “the man” to turn to.
We chatted for a little while. I got them to demonstrate the issue to me and sure enough, they had found something that at first glance looked incredibly serious.
The vulnerability was in the password reset functionality of 123-reg.co.uk. This is a fairly large domain name and hosting provider owned by Webfusion.
It was staggeringly easy to execute too.
All you had to do was to go to the login prompt and click “Forgot Your Password?”, enter the username on the new form and click “Submit”. It then takes you to a secret question form with a link at the bottom “Don’t remember your security question?” On this last form, pop your username in the top and click submit at the bottom. Next, you get a form asking you which email address you want to send a new password to. Enter any email address you want and press submit, a few seconds later you receive a new password!
Now, before you gasp – there is a catch.
This email does contain a password, but it does not contain a username. Upon further testing, the password doesn’t actually link to the username you submitted the form for.
Still, this didn’t strike me as very good.
Individuals can use it to spam email addresses or conceivably even some sort of denial of service attack against 123-reg.
Clearly, as an information security professional, I had to do something with this information.
The obvious place to start is to give the helpdesk a ring and ask for their IT team. I’ll be honest I wasn’t expecting them to respond very well. As I expected they refused to pass me to anyone who could deal with the situation. A bit of research later I got lots of contact details of Webfusion and 123-reg. I tried to ring all the phone numbers and emailed all the email addresses and got a combination of number not in use messages or bounce back email addresses. Except for one email to a specific person at the Webfusion NOC (Network Operations Centre). A few hours later I received a phone call from Webfusion. After describing and demonstrating the vulnerability they agreed with me and they promised to get the problem solved.
That was all about a month ago and after testing their password recovery mechanism earlier today I am happy to report that this vulnerability no longer applies.
I have to say I completely expect vulnerabilities discovered by “lay people” to go unreported and this incident seems to illustrate that nicely – even for an information security professional it wasn’t easy to find accurate contact details for someone responsible. I guess ultimately the help desk either didn’t care or more likely, had no idea how to deal with my call.
Learn how your organisation can identify Security Vulnerabilities
"*" indicates required fields