| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 06 Oct 2008 14:31:51 +0200 From: vulns@...tercore.com To: bugtraq@...urityfocus.com Subject: Motorola Timbuktu's Internet Locator Service real-time data exposed to public. We just want to make a public warning to those users of Motorola/Netopia Timbuktu Remote Control Software who are using the Internet Locator service. This service allows to locate any Timbuktu's user just by knowing the email. More than five months ago we notified Netopia's customer support (http://blog.wintercore.com/?p=21), after discovering a hardcoded user/password pair within SALT.dll. --------------- v 8.6.5.1373 Dll: SALT.dll Address: 0x604b83D4 PE section: .rdata user: xa7z8 pass: e74sa9 url: findme.netopia.com/_REMOVE_THIS_findme/ --------------- By using this information it was possible to access, in real-time, to hundreds of users' records containing their IP, email, software version and information related to the license. We have received no reply since then. 5 months after, we have found out what we would say an "obvious" patch: "if the problem was the user/password, well, let's remove it!. Fixed.". Really hilarious. Now, *everyone* can access those records without having valid credentials. Taking into account that there are remote exploits available for that software, that everyone can grab your IP and software version, and that there are emails from government, military and high-profile corporate staff, better you disable that feature. -- Wintercore Agustin de Betancourt, 21. 8th Floor. 28003 Madrid. Spain. Phone: +(34) 91 395 63 40 www.wintercore.com
Powered by blists - more mailing lists