lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20061001170513.6C8661712B@mail.cypherpunks.to>
Date: Sun,  1 Oct 2006 19:05:13 +0200 (CEST)
From: Anonymous via the Cypherpunks Tonga Remailer <nobody@...herpunks.to>
To: full-disclosure@...ts.grok.org.uk
Subject: FON (fon.com) - Crappy security policy part II

FON (www.fon.com) is some semi-free wifi service. Members contribute
their connection and allow other FON users to use their connections
for free or small money (depends, the users have to contribute their
connection to get free access).

Although the users have to identify at the hotspot, we have

problem #1:
===========
The police would'nt care that you share your internet connection when
they find your IP in some logs related to hacking, copyright issues,
child porn or whatever. They will first confiscate your equipment and
ask then.

problem #2:
===========
It is or was possible to steal anyone's credentials:
http://fon.freddy.eu.org/pcap-decoder/howto/

problem #3:
===========
At the time, when I realized the existance of FON, it was possible to
register with fake e-mail addresses, because they had a lame
verification mechanism (something like
http://fon.com/verify.php?email=president@whitehouse.gov). I
successfully registered dozens of fake accounts that way and all these
accounts still work. At least that hole has been fixed in the
meantime.

However. Although problem #2 has been made public, no "please set a
new password" requests have been sent to the subscribers. Although
they seem to know that they had problem #3 (otherwise they would'nt
have fixed it), they did no approach to *verify* their user identies
(my "regular" FON account has not been verified and my fake accounts
still work).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ