ISP: Your login detail is insecure. (Clientzone)

**Pr⊕phet** · 02-08-2012 09:04 AM

Is your ISP sending your client zone detail as plain text or is it actually encrypted ?

Which leaves the question what are these ISPs doing:

Pass:

Openweb: Pass ? - HTTPS
Afrihost: Pass - HTTPS, Username is case insensitive.
Mweb: Pass - HTTPS, Username is case insensitive.
Telkom: Pass - HTTPS

Fail:

CyberSmart: Fail? - HTTP, I would strongly advise against and ISP who plays reactionary. ***

I am not sure why someone would want to top up someone else’s account,” Fialkov joked, but added that even this is covered by their gig-back guarantee, so if a customer disputes the top-up and it really was not done from their location, a refund will be issued.

Despite being unconvinced of the purpose in securing their ADSL usage and top up pages, Fialkov said that they will do it if their users demand it.

Axxess: Fail?, though not sure about second GET - HTTP, Username is case insensitive. ***

WebAfrica: Username is case insensitive.

Initial - Fail - HTTP. Clear text over http.
Current - Pass ? - HTTPS. Login is now https, but what about that create session. Then there is also the cookie issue:
Cookies - Fail? Clear text as here or here.

:edit
Now one might ask why is this a bad thing?
Well for one if I casually intercepted your unencrypted detail, it would be very easy to log in and lie dormant. There is no need to abuse, just watch and collect info.

What if I made an err in the OP?
Obviously if I have made an err, then I'll correct it

::edit
*** Apparently Axxess and Cybersmart is also insecure according to Webarica:

Originally Posted by wakevinr

Hi Prophet

The only way to secure that information would be to use SSL. Unfortunately most of our website (except the customer zone) runs on normal http (for performance reasons). This means that we're unable to post to a secure server and read the response due to cross domain scripting limitations.
http://en.wikipedia.org/wiki/Same_origin_policy

If you can show me a reliable cross-browser technique to get around this issue, then we'll implement it.

Web Africa, Axxess and Cybersmart are "insecure" by that standard. The only reasons why the other guys are secure is because they don have a global login.

Web Africa
http://i45.tinypic.com/ff2s1u.png

Axxess
http://i46.tinypic.com/9vkx3k.png

Cybersmart
http://i46.tinypic.com/333d11y.png

:::edit
Seems that the username case insensitivity is due to A) being email or in case of WA/Axxess it's unknown speculation. Should your usename be case sensitive too ?

**twicode** · 02-08-2012 09:14 AM

Not such a big issue for me since the ISP can tell me which telephone numbers used my account. Similarly if someone steals my router and just plugs it in and uses it I got their home address through home number.

**Pr⊕phet** · 02-08-2012 09:17 AM

Originally Posted by twicode

Not such a big issue for me since the ISP can tell me which telephone numbers used my account. Similarly if someone steals my router and just plugs it in and uses it I got their home address through home number.

It's about safe practices. It is the clientzone we are speaking about, added the detail... my bad.

Biggest stupidity is to treat symptoms.

**hereticangel** · 02-08-2012 10:22 AM

mweb is encrypted

**Fudzy** · 02-08-2012 10:26 AM

Nice post! Consider the other information available (bank details etc) on these PIM systems. Not to mention the lazy will use one password for most sites so if they can access this place they will most likely try other accounts (GMail etc)

**The_Librarian** · 02-08-2012 11:12 AM

Never had a problem with my Afrihost account details getting stolen

You still need to test Telkom

**Pr⊕phet** · 02-08-2012 11:14 AM

Originally Posted by hereticangel

mweb is encrypted

Totally forgot about them

**Pr⊕phet** · 02-08-2012 11:27 AM

Originally Posted by The_Librarian

Never had a problem with my Afrihost account details getting stolen

You still need to test Telkom

Seems telkom has it down.

**gregmcc** · 02-08-2012 01:16 PM

Originally Posted by twicode

Not such a big issue for me since the ISP can tell me which telephone numbers used my account. Similarly if someone steals my router and just plugs it in and uses it I got their home address through home number.

That's not the point. What other info can someone get using your account - phone number/ id number / email / address. You dont need much more than that for identify theft.

**WAJeff** · 02-08-2012 01:48 PM

Originally Posted by WAJeff

Will have a chat with the Dev Manager when he comes in.

Waiting for feedback on this one.

**ranger** · 02-08-2012 05:55 PM

Originally Posted by twicode

Not such a big issue for me since the ISP can tell me which telephone numbers used my account. Similarly if someone steals my router and just plugs it in and uses it I got their home address through home number.

Resets your email password, logs into your mailbox, steals any useful info there (bank account details, ID number). Sends request to your bank to change your Cellphone number linked to your bank account using details found in your mailbox. Resets online banking password. Adds beneficiaries. Increases limits. Game over.

**Dan C** · 03-08-2012 12:29 AM

Yeah WebAfrica is wide open, noticed that a while back but didn't really bother.

**Pr⊕phet** · 03-08-2012 09:55 AM

Originally Posted by WAJeff

Waiting for feedback on this one.

mmkay

**WAJeff** · 03-08-2012 11:31 AM

We've pushed a change live earlier, can you guys please double check?

**Pr⊕phet** · 03-08-2012 12:46 PM

Originally Posted by WAJeff

We've pushed a change live earlier, can you guys please double check?

Doesn't look if it is secure:

Thread: ISP: Your login detail is insecure. (Clientzone)

Thread Tools

Display

ISP: Your login detail is insecure. (Clientzone)

Similar Threads

Afrihost Clientzone is down!

Afrihost Clientzone

Are atheists insecure?

Switching from Router login to WinXP login

Bookmarks

Bookmarks

Posting Permissions