Cell C's website sent me another user's login and password credentials...how?

[Base122]

I have five Cell C SIM's and use their website to log in and check balances etc.
I use Firefox 10.

In the website "Your number" log in box, I have all the numbers saved with passwords, so that I can easily click on each one to log in automatically. These numbers and passwords are saved in the Firefox "Saved Passwords" store.

A few days ago, I noticed a sixth number on the saved list on the login box.
I did not recognise this number and when I clicked on it, it showed a saved password.
So I logged in out of curiosity, not expecting much....

Behold! A page appears greeting me with someones name I do not know.
Of course looking around a bit reveals all the details such as contract, banking, SIM Pin number etc. for this person.
(and no, I didn't get up to anything malicious!)

So I look in the Firefox saved passwords store and there is the other persons log in number and the saved password, which I could view.

The only way this could have happened (or...??), is if the Cell C website somehow sent these credentials to my browser, which then stored them

Now, no one else uses my computer and no way did I set up this log in credential at all.
I couldn't have known the number or password.

I did report this to Cell_C and they got the user to change the password.

A bit concerning though that this could happen.
Hopefully it is an isolated incident.

Any website experts out there care to explain the mechanics behind how this is possible?

 

[T-Man]

I think someone *did* use your PC. Who does the number belong to, have you tried it?

 

[stevovo]

I think someone *did* use your PC. Who does the number belong to, have you tried it?

+1

I don't think any browser will allow a site to automatically save passwords on a client's machine.

 

[Base122]

I think someone *did* use your PC. Who does the number belong to, have you tried it?

Nope. Not Possible.
I'm in Cape Town and this person in Gauteng.

Don't know them, but I do know a lot about them now...:erm:

Didn't call them, rather let Cell_C sort that out and answer the awkward "why must I change my password" question.

 

[Base122]

+1

I don't think any browser will allow a site to automatically save passwords on a client's machine.

Well it happened, and I have the details to prove it

But this thread is more about the technical "how" did it happen?

 

[rorz0r]

Sounds like a mystery to me... There's no mechanism on any browser that would ever let a website insert anything into your saved passwords.

 

[Solitude]

I can tell you one thing, that "Remember Me" switch for Cell C has never worked for me.

How you got someone else's username and password is a mystery though. Is it technically possible? It's an interesting one.

 

[Base122]

Sounds like a mystery to me... There's no mechanism on any browser that would ever let a website insert anything into your saved passwords.

Every time I use the website, I have to open Firefox's password store with my own password, to get it to use my saved passwords.

It then remains open while the browser is in use.
So something could be inserted in that time.

I was quite surprised to see the person's password "qwertyu1234567"
Something I would never use!

Oh and I have fully scanned my system for spyware etc.

 

[ahf]

And here I'm wondering why Cell C have my postal address incorrect this after some phone calls to their Customer Dept and I've also rectified it on the website myself but still they have it wrong
Cell_C please explain... you have my personal details.

 

[sajunky]

All browsers are subject to security breaches. Change all your passwords now and never-ever store passwords in your browser.

It is possible that you had been assigned the same IP address as a previous user who didn't logged out on exit, your browser could try to continue with the previous session ( password stored by firefox on exit), but it shouldn't happen on secure connection.

Searching Google cache facility I could access post on the forums which normally require login to view posts. Why? Because Google is intercepting Web pages user is visiting. I don't know the mechanism, but it is a fact, it happened frequently.

 

[Base122]

All browsers are subject to security breaches. Change all your passwords now and never-ever store passwords in your browser.

It is possible that you had been assigned the same IP address as a previous user who didn't logged out on exit, your browser could try to continue with the previous session ( password stored by firefox on exit), but it shouldn't happen on secure connection.

Apparently a secure connection:
https://www.cellc.co.za/login/page/login

Then there is that Google search toolbar lurking in the top right corner....
and who knows what else is embedded in the page...

I see the stored passwords, are actually being stored against this url:
https://sso.cellc.co.za

Click and check where that ends up....some IBM HTTP Server page

 

[ginggs]

 

[Base122]

Lol!....
Well I'm not about to post some other poor individuals personal details on an open forum, just to "prove" it happened.

...and obviously, I didn't "save" anything anyway ...that would just be plain wong!

Anyhow, Cell_C knows the truth, but he probably wont comment due to corporate policy and all.

So back to the original question, how did this persons number and password get transmitted to my browser and end up in my password store?

Not impossible that I may have responded to a "Do you want to save this password" pop up from Firefox with a yes, thinking it had to do with one of my own logins.

 

[ginggs]

So back to the original question, how did this persons number and password get transmitted to my browser and end up in my password store?

Now that might be a question for the Firefox developers. I always understood those details could only come from fields that you entered.

The "remember me" switch that Solitude mentioned above, is completely different, and should save a cookie on your computer. I think that cookie comes from the website.

 

[sajunky]

We will be unable to resolve it here, nor Cell_C. Just remember that what happened to the other person can happen to you as well. I repeat:
Change all your passwords now and never-ever store passwords in your browser.

 

[Base122]

We will be unable to resolve it here, nor Cell_C. Just remember that what happened to the other person can happen to you as well. I repeat:
Change all your passwords now and never-ever store passwords in your browser.

....but but...it's just sooooo inconvenient not to...brain just can't remember all those different passwords anymore.

 

[sajunky]

Just check there is a fun on Vodacom Web site, read here:
http://mybroadband.co.za/vb/showthread.php/411173

 

[Base122]

So this same thing happened again on Wednesday morning.

This time I took careful note of the sequence of events and captured some screens.

This happened on my Windows 7 64bit machine running Firefox 15.0.1 (up to date)

I opened Firefox, surfed some websites and then, as I have done many times over the last few months since the previous incident, clicked on my Cell C bookmark "http://www.cellc.co.za/my-account".

I would normally expect this page: (with blank "Your number" and "Your password" fields)

Instead I got: (with the two fields already populated and "Remember me" set)

I didn't recognize the number and there was clearly a password present as well. (dots)
So I clicked the LOGIN button to see what would happen....

Then I got this page:

Firefox asked if I would like to save the username password combination for this page, which I did.

In my Firefox saved password store, I now see the password (edited for obvious reasons)

Now, my name is not David and this is not one of my accounts :wtf:
So here I now have full access to this customers account, personal, banking details and the like.
Downloaded an invoice with no problem.

I now know a whole lot more about David ***** than he would probably be happy with!

Anyhow, I sent all the relevant information, screen captures and invoice to Cell_C for them to investigate and take action.

Also advised them to request this customer change their password (still hasn't happened)
(May be embarrassing to explain why "sorry sir, but your password has been compromised, due to a problem on our system")

Yesterday morning I saw this:

Apparently the problem has now been fixed

Of course this is very difficult to verify, as I am pretty certain this problem only occurs under a very specific set of conditions.
Very difficult to test for or replicate.

So what could have happened here?

Normally clicking on the bookmark URL would return a page with blank user and password fields, which I would then populate.

On clicking LOGIN, these credentials would be sent to the server, verified against a database and if correct, I would be returned a page with account information etc.

So the question is, how could the server have sent me an already populated page (with another customer's credentials) when I should have been sent a normal initial login page with blank fields?

Is it possible that the user had just logged in and submitted the page to the server, which was then somehow returned to me, as I requested the normal login page at the same time?

As a matter of interest, the last four digits of my own number are 3972, which is same as the last four digits of this user's number, but in a different order. I can't see that this is more than coincidental though, as how would the server know my number when I requested the initial login page? Take into account, I had never set the "Remember me" option on that specific page. Maybe a background script up to something?

It would be interesting to know if anyone else has had this type of incident happen in the last few months?

If I were a malicious individual, I could have easily blocked this customer's SIM on the Website and left them with endless frustration!

Imagine them contacting the call center and being told.....
"but Sir, you blocked the SIM on the website"
"NO I DIDN'T!!"
"but Sir, our records show that you did!"
*vein in forehead starts emerging*

....you get the picture

 

[sajunky]

HACKER!