A small percentage (0.13%) of clients using the FoneWorx fax2email service elected to receive faxes through a link that requires a PIN in order for them to view their received faxes.
Due to a malicious hack to the link, by a yet-to-be-identified party, the link was manipulated – giving the attacker access to temporary folders holding faxes.
MyBroadband was alerted to the problem by one of the company’s clients, who provided an explanation of the issue.
MyBroadband alerted Cognition Holdings to the problem via email and a phone call, to assist them in fixing it.
The company said it has requested an immediate audit from its technical team regarding the alleged security hole.
The company has now responded to the issue with the statement below.
We regard the integrity of the fax2email service and the privacy of data transmitted using this service as paramount.
To put the concern that you have raised in your email to us this morning into context, the issue surrounding the secure fax2email service is limited to 0.36% of the total fax2email user base, meaning that 99.64% of the fax2email user base would not have been affected by the link that could have exposed vulnerability.
Furthermore, our logs show that of the 0.36% fax2email users that could have received a link, only 0.13% were active users of the secure fax2email service.
Thus 99.87% of users making use of the fax2email facility would not have received a link that could have exposed any vulnerability.
This would have meant around 568 recipients would have received the link that would have enabled them to open the fax.
Of these users all but one would have inserted their pin after clicking on the link and received only their fax.
One of these users, purportedly the person who brought this to your attention, would have acted with different intention.
It appears from the investigation by our technical department that there was a deliberate URL Manipulation Attack by the party in question.
The party concerned would only have been able to obtain access to the files by intentionally manipulating the URL “breadcrumbs” to access the directory folders.
To do so he or she would have had to know what they were doing and this in itself implies that the party concerned did not just “stumble” across the directory folders and furthermore same was not freely available to all users.
The vulnerability of this element of the secure fax2email service to hacking has now been resolved.