| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <26B6768D-FFB4-4C98-8A78-F102FDC2E916@gmail.com> Date: Mon, 14 Jul 2014 11:03:03 -0500 From: Joshua Smith <lazydj98@...il.com> To: fulldisclosure@...lists.org Subject: [FD] United Airways® united.com Insecure Transmission of User Credentials "This vulnerability has similar scope and threat as the HeartBleed bug.” — umm, no. This bug affects your creds at a single site. Please don’t over inflate. -kernelsmith Date: Sun, 13 Jul 2014 11:58:18 +0000 From: Michael Scheidell <michael@...urityPrivateers.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] United Airways(r) united.com Insecure Transmission of User Credentials Message-ID: <1405252689573.49421@...urityPrivateers.com> Content-Type: text/plain; charset="Windows-1252" United Airways(r) united.com Insecure Transmission of User Credentials Revision Date: May 6th, 2014 Reason for Revision: Issue has been fixed by united.com Systems: www.united.com Severity: Critical Category: Information Disclosure Author: Michael Scheidell, CCISO ? Managing Director, Security Privateers Original Public Release Date: June 30th, 2014. Notifications: April 29, 2014 (United Airlines, FBI InfraGard, Miami ECTF) Notifications: April 31, 2014 (Miami ETCF Forwarded to USSS, DHS and Chicago ECTF) Notifications: May 5th, 2014. Update sent to MECTF and United Airlines Discussion: (From United.com?s web siteprivacy policy) Privacy Policy Your privacy is important to us United Airlines is committed to protecting the privacy and personal data it receives from customers. We want you to know that when you use one of the United family Internet websites, and when you provide us with information offline, the privacy of your personally identifiable information will be respected and protected. Vulnerability: Confidential login information, including password is transmitted in plain text This vulnerability has similar scope and threat as the HeartBleed bug. Even though this exploit does not depend on the HeartBleed bug, it still has the potential to disclose confidential information that the user would reasonably assume to be sensitive or, in combination with their username, would be considered private, unpublished personal information. The Home page of www.united.com has a link to a ?Sign in? page in the upper right hand corner clicking on this link brings the user to another page, an html form that requests userlogin and password. Source code reveals that ?Sign in (Secure)? button links to http, not https page: <div><span id="ctl00_CustomerHeader_spanNotSignedIn"><a id="ctl00_CustomerHeader_linkSignIn" href="apps/account/account.aspx">Sign In</a> | </span><a id="ctl00_CustomerHeader_linkMyAccount" href="apps/account/account.aspx">My Account</a> | <a accesskey="9" href="content/Contact/default.aspx">Contact Us</a></div> When you select ?Sign in?, you are presented with a screen at url: http://www.united.com/web/en-US/apps/account/account.aspx and asked to log in. The request is for MileagePlus Number or Username: PIN or Password: And the ?submit? button is labeled ?Sign In (Secure)?. First thing to note is that this is an http (plain text, unencrypted) webpage, second thing to note is that the submit button calls a standard ?POST? which when the user presses the ?Sign In (Secure)? button, the information is transmitted from the user?s computer across the internet in plain text. <body id="ctl00_bodyMain" onunload="PurchaseAbandon();"> <form name="aspnetForm" method="post" action="signin.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm"> _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists