Vodacom Mobile security concerns
Vodacom has recently launched a new Mobile Internet system which promises to “enhance the display of websites on a cellphone through technology that adapts the computer-screen format of any website into a smaller, cellphone-friendly format.”
The company came under fire from consumers and the South African chapter of the Internet Society, saying that it ‘broke’ many websites which used to function perfectly on a mobile device.
Vodacom appears to have made portions of the Internet unavailable to users according to the Internet Society – something which obviously did not sit well with mobile Internet users.
Security concerns
Internet Solutions (IS) is the latest organization to criticize Vodacom’s new mobile surfing platform, raising concerns about potential security issues which may dog the system.
“The recent proxy server, implemented by Vodacom in order to provide their new ‘Content Adaption’ service and to better render websites on small screen devices, has inadvertently created a serious security issue,” IS said.
“Some of the unintended results have given rise to serious privacy concerns amongst consumers and corporate customers alike.”
Brett Steingo, General Manager of Mobility Solutions at Internet Solutions (IS) explains:
“Since all traffic is routed first through their proxy server, sites requiring login information result in your password being intercepted and reformatted. Clients logging in, for example to webmail, have their passwords captured in plain text and forwarded on. In the event of a failure, this password is being re-directed to a Google search page in plain text.”
According to Internet Solutions some basic testing by its staff shows how any user can replicate this fault. “To see for yourself, browse to an Exchange Outsourced Web Access / Webmail site from your cell phone using http://webmail.your.site.domain/ and not https://,” IS said.
“The page that’s asking for your username and password will look something like this:
http://owafe083.vodacommi.co.za/webmail.your.site.domain/ This is NOT secure.”
“If you fill in your Username and Password (use a fake one!), in some cases both entries are sent as an unsecured search query to Google. You can get around this by going directly to the “https” version of the site – the site will work, but your password still gets redirected and sent to Google as a search request.”
“Clients are also reporting the inability to use a variety of applications over this platform and VLive APNs since the implementation of Content Adaption,” says Steingo. “IS clients using the IS Internet APNs (mobile.is.co.za and vpn.is.co.za) remain unaffected.”
Vodacom unfortunately did not provide any official feedback about the problems and security concerns by the time of publication.
Loading ...