Iburst Security Warning

[paulcam123]

Hi there,

I just wanted to purchase bandwidth online using the iburst web site. I ran a tcpdump from another computer on the network, and found that my credit card number was being transmitted unencrypted across the network.

This effectively means that anyone with half a brain cell sitting between your computer and the server at iburst could intercept your credit card details.

Sure, if you are using iburst at the time, there are fewer people in between who would have access to to this data, but it is unacceptable that this data is not encrypted!

I would normally inform webmasters with non-secure websites before publishing this type of information, but it is so basic that they must already be aware of it, and if not, they should employ someone who has the necessary skills!

Here is an extract of the trace - secure information has been removed. 12345678901234 is the card number I used. Sorry about the formatting.

22:33:22.106327 IP 196.30.31.118.http > 196.2.11.18.2337: P 1393:2505(1112) ack 2553 win 11136
0x0020: 5018 2b80 696c 0000 5f50 726f 6475 6374 P.+.il.._Product
0x0030: 5f31 2220 5641 4c55 453d 2233 4742 2069 _1".VALUE="3GB.i
0x0040: 4275 7273 7420 4261 6e64 7769 6474 6822 Burst.Bandwidth"
0x0050: 3e0d 0a09 093c 494e 5055 5420 5459 5045 >....<INPUT.TYPE
0x0060: 3d22 6869 6464 656e 2220 4e41 4d45 3d22 ="hidden".NAME="
0x0070: 4c69 7465 5f4f 7264 6572 5f4c 696e 6549 Lite_Order_LineI
0x0080: 7465 6d73 5f51 7561 6e74 6974 795f 3122 tems_Quantity_1"
0x0090: 2056 414c 5545 3d22 3122 3e0d 0a09 093c .VALUE="1">....<
0x00a0: 494e 5055 5420 5459 5045 3d22 6869 6464 INPUT.TYPE="hidd
0x00b0: 656e 2220 4e41 4d45 3d22 4c69 7465 5f4f en".NAME="Lite_O
0x00c0: 7264 6572 5f4c 696e 6549 7465 6d73 5f41 rder_LineItems_A
0x00d0: 6d6f 756e 745f 3122 2056 414c 5545 3d22 mount_1".VALUE="
0x00e0: 3339 3930 3022 3e0d 0a09 093c 494e 5055 39900">....<INPU
0x00f0: 5420 5459 5045 3d22 6869 6464 656e 2220 T.TYPE="hidden".
0x0100: 4e41 4d45 3d22 4563 6f6d 5f42 696c 6c54 NAME="Ecom_BillT
0x0110: 6f5f 4f6e 6c69 6e65 5f45 6d61 696c 2220 nline_Email".
0x0120: 5641 4c55 453d 2270 6175 ----- ----- ----- VALUE="-------------
0x0130: 2e63 6f2e 7a61 223e 0d0a 0909 3c49 4e50 .co.za">....<INP
0x0140: 5554 2054 5950 453d 2268 6964 6465 6e22 UT.TYPE="hidden"
0x0150: 204e 414d 453d 2245 636f 6d5f 5061 796d .NAME="Ecom_Paym
0x0160: 656e 745f 4361 7264 5f4e 756d 6265 7222 ent_Card_Number"
0x0170: 2056 414c 5545 3d22 3132 3334 3536 3738 .VALUE="12345678
0x0180: 3930 3132 3334 223e 0d0a 0909 3c49 4e50 901234">....<INP
0x0190: 5554 2054 5950 453d 2268 6964 6465 6e22 UT.TYPE="hidden"
0x01a0: 204e 414d 453d 2245 636f 6d5f 5061 796d .NAME="Ecom_Paym
0x01b0: 656e 745f 4361 7264 5f45 7870 4461 7465 ent_Card_ExpDate
0x01c0: 5f4d 6f6e 7468 2220 5641 4c55 453d 2230 _Month".VALUE="0
0x01d0: 3122 3e0d 0a09 093c 494e 5055 5420 5459 1">....<INPUT.TY
0x01e0: 5045 3d22 6869 6464 656e 2220 4e41 4d45 PE="hidden".NAME
0x01f0: 3d22 4563 6f6d 5f50 6179 6d65 6e74 5f43 ="Ecom_Payment_C
0x0200: 6172 645f 4578 7044 6174 655f 5965 6172 ard_ExpDate_Year
0x0210: 2220 5641 4c55 453d 2232 3030 3722 3e0d ".VALUE="2007">.
0x0220: 0a09 093c 494e 5055 5420 5459 5045 3d22 ...<INPUT.TYPE="
0x0230: 6869 6464 656e 2220 4e41 4d45 3d22 4563 hidden".NAME="Ec
0x0240: 6f6d 5f50 6179 6d65 6e74 5f43 6172 645f om_Payment_Card_

 

[TheRoDent]

Can one do anything but rofl?

 

[RVFmal]

Can one do anything but rofl?

Not really. With CC fraud as rife as it is I think the above is completely inexcusable and they should be taken to task for it.

 

[JET@WORK]

This is a product of web development software... What happened to good old hard coding and giving the job the the best qualified person instead of the B*E Stuff...

 

[Crash]

Huh?

But....the website is HTTPS.... so all the data being sent to the WBS Webserver should be encrypted.....
How does it end up in plain text then?

I'm confused.

 

[DFantom]

But....the website is HTTPS.... so all the data being sent to the WBS Webserver should be encrypted.....
How does it end up in plain text then?

I'm confused.

Cause sparky here isn't going to https, his tcpdump is stating he is using http for some reason

22:33:22.106327 IP 196.30.31.118.http

 

[seburn]

Nod with crash

 

[paulcam123]

HTTPS Explanation

You are right, the page itself is HTTPS, but the piece of the page with takes the credit card numbers is Flash. While it shows as HTTPS, when you actually submit, it establishes 2 http connections to 2 different servers, then an https connection, and then another 2 http connections.

Also remember that just because the frameset is https, that doesnt mean that the frames within it are.

I would encourage someone else to do the same test and see what happens on your computer and post the results. You can use any credit card details you like.

 

[reech]

well spotted

 

[kingmonty]

This is a product of web development software... What happened to good old hard coding and giving the job the the best qualified person instead of the B*E Stuff...

agreed 100%.

 

[QuadDamage]

This is not acceptable!!!
In today's day and age where we buy stuff over the net with our CC's we have become so secure in the fact that companies will protect us (the users) and our details. I never check these things anymore (too trusting).
Well spotted and thank you for pointing it out!!!

 

[mic_y]

Holy cr@p... ok that is actually scarry... thx for the warning. and 100% agreement on B** aspect...

 

[fergus]

Nice one Wbs

 

[paulcam123]

Another Security Warning!

Well, I assume that the iBurst Developers read this forum. The Credit Card details are no longer transmitted on an unsecure connection.

But unfortunately, thats not good enough. If you click on "Edit My Account" (down the left menu), it loads a flash program that proceeds to request all your personal details from their server, down a non-secure connection. This includes everything from your ID Number to your Banking details, phone numbers, etc. Its there for the "man-in-the-middle" to see!

I would like to think that all information displayed on a page that says HTTPS is secure, but this is obviously not the case at this stage.

This has now been independently tested on 2 OS's and 2 different browsers. And no, I didnt change the URL from HTTPS to HTTP. Try it for yourself. Just open a DOS prompt and do a "netstat -n" when it says "Retrieving your information" on the "edit my account" screen - then ask yourself why there are connections to WBS on port 80.

This is totally unacceptable!

 

[Chant]

Well spotted, really don't understand why you have to do their work for them.

On another note don't you think you should rather let WBS know first before posting here, a lot of Iburst users don't use this forum and as such they won't know that they shouldn't click "Edit My Account" until the problem is resolved whereas would be hackers now know.

 

[nocilah]

www.splice.co.za <--- these are the people who need to be told cuz they developed the site...

 

[paulcam123]

Communicating with WBS

Yes, you make a good point about reporting it to WBS first. But have you ever tried calling them. A few months ago, I had another issue, and even went so far as to log a call with them to ask for a manager to call me, and nothing happened. I am still waiting for them to get back to me on various issues.

If I thought that I would get it fixed by talking to them, I would have done that first. In the past, I have found security issues with various products, ranging from Internet Banking, to IBM's firewall product, and have always tried to notify the company responsible first, but in almost all of the cases, it wasnt until I made it public that I got a response from them.

 

[Chant]

No, I disagree, rather post here first, the reason is that WBS employees are in fact the "middle man" seeking to steal all your personal info - the radio link data is supposedly encrypted according to iBurst as a technology, so that leaves a more likely weakness at the unencrypted endpoints which are your PC/LAN and within the bowels of WBS where some crafty WBS employee [or an external contractor with access] could intercept unencrypted packets from their DB servers that hold your data.

Perhaps one should be asking exactly how much access to your personal info, do WBS Helpdesk etc employees have, and is that access logged & audited...

But what you are saying can be applied to any company who you deal with and has your personal info for example banks and any other online entity, you really need to be able to trust the ppl you give your info to otherwise you shouldn't be using them in the first place. I like to say I trust WBS to have set certain rules, policies and regulations in place for their employees with what actions will be taken against them if these are broken, a hacker on the internet has no such rules and policies in place, did you know in some countries a hacker can use the excuse that he did not know he was not allowed to grab that information because he never got any warning like a disclaimer on a website etc.

Yes, you make a good point about reporting it to WBS first. But have you ever tried calling them. A few months ago, I had another issue, and even went so far as to log a call with them to ask for a manager to call me, and nothing happened. I am still waiting for them to get back to me on various issues.

If I thought that I would get it fixed by talking to them, I would have done that first. In the past, I have found security issues with various products, ranging from Internet Banking, to IBM's firewall product, and have always tried to notify the company responsible first, but in almost all of the cases, it wasnt until I made it public that I got a response from them.

I completely understand and I for one am happy to know I shouldn't use their website until these issues are corrected but I think that what you should really do is give them a call and let them know you have found a security issue and you will be reporting it publicly in 2 days if it isn't corrected and also drop an e-mail to them stating the same thing (that way you have proof that you gave them due warning). If it isn't corrected in the time you specified then definately post here. All I'm saying is let's not put ppl at risk anymore than they already are if it can be helped.

 

[paulcam123]

I called their Helpdesk again.

I called again this morning (spoke to Shaheen), and got a "it is secure, but it isnt encrypted" response, followed by "it is https". He said he would bring it up with them and see if they can make it "more secure", but he didt know when that might happen.

I really cant believe that WBS didnt already know that it was non-secure. It is like part of Internet Security 101. Everyone knows that you dont use http connections for secure data! And then they fixed the Credit Card problem, but not all the other related problems on the site. It makes you wonder if they really care.

I have only published the security information which is easily available, and which I imagine that WBS is already aware of. I havent published any information here that hackers would not be able to find easily (and there might be some). Who knows how many hackers are already exploiting this information. Because it was so basic and that WBS and hackers are probably already aware of it, I think that the iBurst users should also be aware of it.