lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 14 Jul 2014 11:03:03 -0500
From: Joshua Smith <lazydj98@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] United Airways® united.com Insecure Transmission of User Credentials

"This vulnerability has similar scope and threat as the HeartBleed bug.” — umm, no.  This bug affects your creds at a single site.  Please don’t over inflate.

-kernelsmith

Date: Sun, 13 Jul 2014 11:58:18 +0000
From: Michael Scheidell <michael@...urityPrivateers.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] United Airways(r) united.com Insecure Transmission of
	User Credentials
Message-ID: <1405252689573.49421@...urityPrivateers.com>
Content-Type: text/plain; charset="Windows-1252"

United Airways(r) united.com Insecure Transmission of User Credentials
Revision Date: May 6th, 2014
Reason for Revision: Issue has been fixed by united.com

Systems:  www.united.com
Severity: Critical
Category: Information Disclosure
Author: Michael Scheidell, CCISO ? Managing Director, Security Privateers
Original Public Release Date: June 30th, 2014.
Notifications: April 29, 2014 (United Airlines, FBI InfraGard, Miami ECTF)
Notifications: April 31, 2014 (Miami ETCF Forwarded to USSS, DHS and Chicago ECTF)
Notifications: May 5th, 2014.  Update sent to MECTF and United Airlines

Discussion: (From United.com?s web siteprivacy policy)
Privacy Policy
Your privacy is important to us
United Airlines is committed to protecting the privacy and personal data it receives from customers. We want you to know that when you use one of the United family Internet websites, and when you provide us with information offline, the privacy of your personally identifiable information will be respected and protected.

Vulnerability:  Confidential login information, including password is transmitted in plain text

This vulnerability has similar scope and threat as the HeartBleed bug.  Even though this exploit does not depend on the HeartBleed bug, it still has the potential to disclose confidential information that the user would reasonably assume to be sensitive or, in combination with their username, would be considered private, unpublished personal information.
The Home page of  www.united.com has a link to a ?Sign in? page in the upper right hand corner clicking on this link brings the user to another page, an html form that requests userlogin and password. Source code reveals that ?Sign in (Secure)? button links to http, not https page:

<div><span id="ctl00_CustomerHeader_spanNotSignedIn"><a id="ctl00_CustomerHeader_linkSignIn" href="apps/account/account.aspx">Sign In</a> | </span><a id="ctl00_CustomerHeader_linkMyAccount" href="apps/account/account.aspx">My Account</a> | <a accesskey="9" href="content/Contact/default.aspx">Contact Us</a></div>

When you select ?Sign in?, you are presented with a screen at url: http://www.united.com/web/en-US/apps/account/account.aspx and asked to log in.
The request is for MileagePlus Number or Username:
PIN or Password:
And the ?submit? button is labeled ?Sign In (Secure)?.

First thing to note is that this is an http (plain text, unencrypted) webpage, second thing to note is that the submit button calls a standard ?POST? which when the user presses the ?Sign In (Secure)? button, the information is transmitted from the user?s computer across the internet in plain text.
<body id="ctl00_bodyMain" onunload="PurchaseAbandon();">
<form name="aspnetForm" method="post" action="signin.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists