[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4b6ee9310608020804l68f08d91k26549c672f2178ae@mail.gmail.com>
Date: Wed, 2 Aug 2006 15:04:24 +0000
From: n3td3v <xploitable@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: world governments and aid agencies at risk
because of bbc
hi,
last night i reported on n3td3v list that a corporation who offers
humanitarian security updates to world governments and aid agencies
who will remain unnamed stores passwords on their servers in plain
text
the corporation has sql injection vulnerabilities to make it worse
e-mail and password can be harvested
this has allowed hackers to obtain e-mail and passwords for world
governments and aid agencies
it is unclear if the password these world governments and aid agencies
gave to the humanitarian alert system are the same passwords to access
government systems
it is now time to name and shame that corporation
none other than the bbc
check out their great server security at
http://www.bbc.co.uk/email/news
and how it allows hackers to obtain passwords for world governments
and aid agencies
with israel killing civilians in lebanon
now is not the best time for the bbc to have such poor security for a
service the world governments and aid agencies are signed upto
there are thousands of passwords signed upto the bbc service and all
can be extracted with e-mail address belonging to the password with
sql injection
there are a number of factors here
1. passwords stored on servers as plain text
2. once a world government or aid agency has signed up, they cannot
reset their password, the bbc will always just send them their
original password they signed up with in plaintext
3. sql injections and xss vulnerabilities can exploit the plaintext passwords
4. this is bad security, considering the types of people who are
supposed to be signed upto the bbc service, ie: world governments and
aid agencies
5. the bbc is allowing for bigger attacks to occur on the internet, by
leaving their site vulnerable
6. the bbc has always stored their passwords in plaintext and its
unclear how many corporate, consumer, government and aid agency hacks
have been resulted by the bbc's poor security over the years
7. remember gary mckinnon case? lets talk about how he and others like
him might obtain passwords to access government systems illegally
8. i'll leave it upto the authorites to decide the connection between
the bbc poor security on its website and the ability for hackers to
launch cyber attacks against world governments and aid agencies
systems
9. i hope the bbc, one of the biggest corporation on the planet can
fix these issues as soon as possible and that anyone signed upto the
bbc service makes sure their passwords are all changed by the bbc once
their security is patched
10. it is not my job to rate how critical this might be, i just to the
best of my ability have listed possibilities, i'll leave it upto the
experts to decide, i'm just the messenger, don't shoot me. this is
full disclosure mailing list and thats why i report issues here. sorry
if some people don't like me but who cares, i will continue to report
issues to full disclosure for as long as there are issues for me to
report, i deem this disclosure an important issue, even if others
don't.
11. another service world governments and aid agencies are signed upto
is http://www.alertnet.org/ i haven't checked if they are as
vulnerable as the bbc service yet, but this is a sitting duck for
hackers if it is, and is how world governments and aid agencies get
hacked, by hacking corporations who offer third party services to
world governments and aid agencies
12. i personally don't think everyone who works for world governments
and aid agencies are security competent enough to know to use a
different password for signing upto breaking news alerts and the
password they might use to login to government systems
n3td3v
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists