ISP: Your login detail is insecure. (Clientzone)

Necuno

Court Jester
Joined
Sep 27, 2005
Messages
58,567
Is your ISP sending your client zone detail as plain text or is it actually encrypted ?

Which leaves the question what are these ISPs doing:

Pass:
Openweb: Pass ? - HTTPS
Afrihost: Pass - HTTPS, Username is case insensitive.
Mweb: Pass - HTTPS, Username is case insensitive.
Telkom: Pass - HTTPS

Fail:
CyberSmart: Fail? - HTTP, I would strongly advise against and ISP who plays reactionary. ***
I am not sure why someone would want to top up someone else’s account,” Fialkov joked, but added that even this is covered by their gig-back guarantee, so if a customer disputes the top-up and it really was not done from their location, a refund will be issued.

Despite being unconvinced of the purpose in securing their ADSL usage and top up pages, Fialkov said that they will do it if their users demand it.
Axxess: Fail?, though not sure about second GET - HTTP, Username is case insensitive. ***

WebAfrica: Username is case insensitive.
Initial - Fail - HTTP. Clear text over http.
Current - Pass ? - HTTPS. Login is now https, but what about that create session. Then there is also the cookie issue:
Cookies - Fail? Clear text as here or here.



:edit
Now one might ask why is this a bad thing?
Well for one if I casually intercepted your unencrypted detail, it would be very easy to log in and lie dormant. There is no need to abuse, just watch and collect info.

What if I made an err in the OP?
Obviously if I have made an err, then I'll correct it :)


::edit
*** Apparently Axxess and Cybersmart is also insecure according to Webarica:

Hi Prophet

The only way to secure that information would be to use SSL. Unfortunately most of our website (except the customer zone) runs on normal http (for performance reasons). This means that we're unable to post to a secure server and read the response due to cross domain scripting limitations.
http://en.wikipedia.org/wiki/Same_origin_policy

If you can show me a reliable cross-browser technique to get around this issue, then we'll implement it.

Web Africa, Axxess and Cybersmart are "insecure" by that standard. The only reasons why the other guys are secure is because they don have a global login.

Web Africa
http://i45.tinypic.com/ff2s1u.png

Axxess
http://i46.tinypic.com/9vkx3k.png

Cybersmart
http://i46.tinypic.com/333d11y.png

:::edit
Seems that the username case insensitivity is due to A) being email or in case of WA/Axxess it's unknown speculation. Should your usename be case sensitive too ?
 
Last edited:

twicode

Expert Member
Joined
Mar 27, 2011
Messages
1,116
Not such a big issue for me since the ISP can tell me which telephone numbers used my account. Similarly if someone steals my router and just plugs it in and uses it I got their home address through home number.
 

Necuno

Court Jester
Joined
Sep 27, 2005
Messages
58,567
Not such a big issue for me since the ISP can tell me which telephone numbers used my account. Similarly if someone steals my router and just plugs it in and uses it I got their home address through home number.
It's about safe practices. It is the clientzone we are speaking about, added the detail... my bad.


Biggest stupidity is to treat symptoms.
 
Last edited:
F

Fudzy

Guest
Nice post! Consider the other information available (bank details etc) on these PIM systems. Not to mention the lazy will use one password for most sites so if they can access this place they will most likely try other accounts (GMail etc)
 

The_Unbeliever

Honorary Master
Joined
Apr 19, 2005
Messages
103,199
Never had a problem with my Afrihost account details getting stolen :)

You still need to test Telkom :p
 
Last edited:

gregmcc

Honorary Master
Joined
Jun 29, 2006
Messages
22,021
Not such a big issue for me since the ISP can tell me which telephone numbers used my account. Similarly if someone steals my router and just plugs it in and uses it I got their home address through home number.
That's not the point. What other info can someone get using your account - phone number/ id number / email / address. You dont need much more than that for identify theft.
 

ranger

Expert Member
Joined
May 2, 2007
Messages
2,047
Not such a big issue for me since the ISP can tell me which telephone numbers used my account. Similarly if someone steals my router and just plugs it in and uses it I got their home address through home number.
Resets your email password, logs into your mailbox, steals any useful info there (bank account details, ID number). Sends request to your bank to change your Cellphone number linked to your bank account using details found in your mailbox. Resets online banking password. Adds beneficiaries. Increases limits. Game over.
 

Dan C

Honorary Master
Joined
Nov 21, 2005
Messages
24,520
Yeah WebAfrica is wide open, noticed that a while back but didn't really bother.
 

WAJeff

Web Africa Representative
Joined
May 15, 2009
Messages
1,506
We've pushed a change live earlier, can you guys please double check?
 

wakevinr

Web Africa representative
Company Rep
Joined
Jan 24, 2008
Messages
5
Hi Prophet

The only way to secure that information would be to use SSL. Unfortunately most of our website (except the customer zone) runs on normal http (for performance reasons). This means that we're unable to post to a secure server and read the response due to cross domain scripting limitations.
http://en.wikipedia.org/wiki/Same_origin_policy

If you can show me a reliable cross-browser technique to get around this issue, then we'll implement it.

Web Africa, Axxess and Cybersmart are "insecure" by that standard. The only reasons why the other guys are secure is because they don have a global login.

Web Africa
http://i45.tinypic.com/ff2s1u.png

Axxess
http://i46.tinypic.com/9vkx3k.png

Cybersmart
http://i46.tinypic.com/333d11y.png
 

Necuno

Court Jester
Joined
Sep 27, 2005
Messages
58,567
As the username states, KevinR - Kevin Rademan, our Development Manager.
Thanks.

Hi Prophet

The only way to secure that information would be to use SSL. Unfortunately most of our website (except the customer zone) runs on normal http (for performance reasons). This means that we're unable to post to a secure server and read the response due to cross domain scripting limitations.
http://en.wikipedia.org/wiki/Same_origin_policy

If you can show me a reliable cross-browser technique to get around this issue, then we'll implement it.

Web Africa, Axxess and Cybersmart are "insecure" by that standard. The only reasons why the other guys are secure is because they don have a global login.

Web Africa
http://i45.tinypic.com/ff2s1u.png

Axxess
http://i46.tinypic.com/9vkx3k.png

Cybersmart
http://i46.tinypic.com/333d11y.png
I'm always a little worried when I read a reply like this:

1) We can stick to insecure login because others are doing it.
2) We'd rather have the login detail be insecure for sake of convenience.
3) Passing on the onus.

Quick pass on ISPA membership policies

F. Cyber crime
ISPA members must take all reasonable measures to prevent unauthorised access to, interception of, or interference with any data on that members network and under its control.

[link]
If I understand this correctly and looking at your response, there seems to be a conflict, right?

Now I'm not being a dick, I'm highlighting a concern here. Would be interesting to get ISPA's take on this. I think I'm going to pass this by them on Monday for WebAfrica, Cybersmart and Axxess.
 
Last edited:

wakevinr

Web Africa representative
Company Rep
Joined
Jan 24, 2008
Messages
5
Thanks for the feedback, while it’s a fairly low-risk you are right in the sense that the login could be made even more secure, and anything that we can do to improve security is always a win.

We’re looking into it, and will feedback.
 
Top