| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Aug 2006 15:04:24 +0000 From: n3td3v <xploitable@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: world governments and aid agencies at risk because of bbc hi, last night i reported on n3td3v list that a corporation who offers humanitarian security updates to world governments and aid agencies who will remain unnamed stores passwords on their servers in plain text the corporation has sql injection vulnerabilities to make it worse e-mail and password can be harvested this has allowed hackers to obtain e-mail and passwords for world governments and aid agencies it is unclear if the password these world governments and aid agencies gave to the humanitarian alert system are the same passwords to access government systems it is now time to name and shame that corporation none other than the bbc check out their great server security at http://www.bbc.co.uk/email/news and how it allows hackers to obtain passwords for world governments and aid agencies with israel killing civilians in lebanon now is not the best time for the bbc to have such poor security for a service the world governments and aid agencies are signed upto there are thousands of passwords signed upto the bbc service and all can be extracted with e-mail address belonging to the password with sql injection there are a number of factors here 1. passwords stored on servers as plain text 2. once a world government or aid agency has signed up, they cannot reset their password, the bbc will always just send them their original password they signed up with in plaintext 3. sql injections and xss vulnerabilities can exploit the plaintext passwords 4. this is bad security, considering the types of people who are supposed to be signed upto the bbc service, ie: world governments and aid agencies 5. the bbc is allowing for bigger attacks to occur on the internet, by leaving their site vulnerable 6. the bbc has always stored their passwords in plaintext and its unclear how many corporate, consumer, government and aid agency hacks have been resulted by the bbc's poor security over the years 7. remember gary mckinnon case? lets talk about how he and others like him might obtain passwords to access government systems illegally 8. i'll leave it upto the authorites to decide the connection between the bbc poor security on its website and the ability for hackers to launch cyber attacks against world governments and aid agencies systems 9. i hope the bbc, one of the biggest corporation on the planet can fix these issues as soon as possible and that anyone signed upto the bbc service makes sure their passwords are all changed by the bbc once their security is patched 10. it is not my job to rate how critical this might be, i just to the best of my ability have listed possibilities, i'll leave it upto the experts to decide, i'm just the messenger, don't shoot me. this is full disclosure mailing list and thats why i report issues here. sorry if some people don't like me but who cares, i will continue to report issues to full disclosure for as long as there are issues for me to report, i deem this disclosure an important issue, even if others don't. 11. another service world governments and aid agencies are signed upto is http://www.alertnet.org/ i haven't checked if they are as vulnerable as the bbc service yet, but this is a sitting duck for hackers if it is, and is how world governments and aid agencies get hacked, by hacking corporations who offer third party services to world governments and aid agencies 12. i personally don't think everyone who works for world governments and aid agencies are security competent enough to know to use a different password for signing upto breaking news alerts and the password they might use to login to government systems n3td3v _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists