O2 web site security
Your account details may not be safe
Contents:
- Latest News
- Round One (14th July)
- Round Two (16th July)
- What O2 should do (17th July)
- Why you should worry
- O2 semi fix the problem
- What O2 should still do (18th July)
Latest News
The flaw was confirmed to be still present up until 08:49, 18th July 2002 BST.
It appears that it was fixed some time later that day. So this has
taken nearly four days to fix since the discovery. We are not
so sure that the problem has been dealt with in the most sensible or
speedy manner. There are still issues that need resolving. In the meantime,
those users who have had their account details stolen probably have no idea...
Claims that it had been fixed by IRM on The Register were premature. Please carry on reading this page for a chronological description of what happened.
Round One (14th July)
Here we describe the initial accidental discovery.
Discovery and Dissemination
The aim of this document was (and perhaps still is) to make users aware of a serious security issue regarding the viewing of their O2 account and billing details over the internet at www.o2.co.uk. O2 was formerly known as Genie.
Risks
- Users were lead to believe that their user name and password were sent securely using HTTPS. This was misleading and untrue.
- It was possible for your user name and password to be viewed by an attacker.
- It was also possible for an attacker to view your name, address, and bank account details.
Demonstration of risks
Email
Users recieve an email like this each month telling them that they can visit http://www.o2.co.uk/shop to access their account. Users may do this at any time.
Shop home page
When the user visits the URL mentioned in the email, they end up at this page. Clicking on the "View My Bill" link takes them to a login page which is accessed using a secure protocol (HTTPS).
"View My Bill"
This is the login page to view your bill. You are supposed to enter your user name and password here. Note that the web browser has the padlock icon near the bottom right, indicating that this is a secure page. So it must be safe to send this information, right...?
Logged in
Oh no! It looks like it wasn't safe to send your user name and password. This is the page you end up on after you have logged in. Note that the padlock has now gone. This page was accessed using a non-secure protocol. More importantly, your user name and password were sent as plain text over the internet, possibly without you even realising! This means that anyone between your computer and the O2 web server could have seen this information without needing to decrypt anything. They could then log in to your O2 account with this information. We believe that the user can be mislead into thinking that this process is secure, due to the padlock on the previous page. We also believe this is a serious oversight by the designers of the O2 web site.
Plain text password transmission :-/
Just to confirm what has happened, here is a dump of the HTTP request over TCP port 80. The POST request has sent your user name and password as plain text. Even users on your own network may be able to see this information.
Security Code
As an extra security feature (!) you are required to enter a 4-digit PIN number when viewing your name, address, etc. This is actually done over HTTPS and can therefore not be snooped by other users. But let's face it, it's not going to take long to take a bruteforce attempt at all 10000 combinations (compared with guessing the user's password which is longer and may contain many other characters). Once the correct 4-digit number has been found, an attacker not only has access to, but may also change your name, email address, postal address, telephone number and bank account details. That's probably not a good thing.
Dodgy Security Statement
On the O2 web site (as at 14th July 2002), their Security Statement makes interesting reading: -
We think it is ironic that they say "Please ensure that you keep your
password secure at all times." when it is in fact O2 itself that
makes the transmission of your password vulnerable to interception by
sending it as plain text rather than anything vaguely secure.
They also claim "The Shop section of our site is secure and fully tested ....".
Hmm, I think we know that's not true now.
While this statement is partly true, "This means that the information passed between
your computer and our web site cannot be read even in the event of it being intercepted
by someone else.", this only applies when HTTPS is actually being used. As we have
demonstrated, HTTPS was not used when your user name and password were transmitted (although
the user may be led to think that it is...). So it is possible for somebody to intercept
your user name and password and then subsequently gain access to your O2 account.
Round Two (16th July)
O2 'fix' the problem?
This web page itself featured on The Register on 15/07/2002 at 18:35 GMT at http://www.theregister.co.uk/content/55/26200.html. unfortunately, they seem to think I am some 'hax0r' dude with a nickname of "Jibble". Neither are true.
It's a nice article, but it is said that Neil Barrett, Technical Director of IRM (Information Risk Management), has gone over the site with a fine-tooth comb and he reckons the flaw has been fixed.
Unfortunately, he was wrong. The flaw was still present (when we tested it at 12:23 BST and 19:29 BST on 16th July 2002). At a quick glance, the site did look reasonably safe, but deeper analysis revealed that it was still submitting user names and passwords as plain text. We again confirmed this by examining the raw TCP stream. Whoops, looks like somebody made a mistake!
IRM also said "The story told on the Jibble page looks kosher..."
Well, cheers, it is true after all :)
"A spokeswoman for O2 said that it took security seriously and expressed
surprise at the lapse. Technical staff at O2 are looking into the issue
to find out what happened and when, she added." - Perhaps they should fix
the problem before they try to work out what went wrong! :) Or perhaps they
should let me work for them...
As an O2 customer, I am a bit worried that they made this mistake in the first place. I am also worried that they hadn't fixed it by now. Perhaps I would have let O2 know about it directly if I could find any email addresses on their web site (it's not the best web site in the world). I have not received any form of communication from O2 regarding this matter. I would like to invite them to do so, as I am interested to see why they are still allowing their users to login with a woefully insecure system (or at least a system that is nowhere near as secure as they claim it to be).
What O2 should do (17th July)
We are surprised that O2 appears to have taken no action to remedy this serious security problem yet. Here is the bare minimum that O2 should do (but haven't yet):-
- They should immediately prevent customers from logging in via the insecure protocol. They have not done this yet. Customers are currently logging in, exposing their password details to attackers.
- Create a new login process that is actually secure.
- As soon as both of the above points have been remedied, they should admit that there was a problem and advise (or even better, force) all customers to change their passwords to prevent future unauthorised access to accounts.
Why you should worry
When you read through the O2 Terms And Conditions at http://www.o2.co.uk/terms.html, there are a couple of interesting points, such as:-
- 4.1 To access the Services You will be issued with a user name, password and verification code that You can change at any time. You are responsible for the security and proper use of the password and verification code and must take all necessary steps to ensure that they are kept confidential, used properly and not disclosed to unauthorised persons. You will notify Us of any unauthorised use of Your password or Account, or verification code or any other breach of security.
- 4.2 You are responsible for ensuring that no unauthorised access is obtained to the Services through Your Account. You will be entirely liable for all activities conducted through Your Account whether authorised by You or not, until such time as You notify Us of such unauthorised use and We have stopped access to Your Account.
The first point is a bit worrying, as it is infeasible to ensure that your password is kept confidential and not disclosed to unauthorised persons because the flawed design of the O2 web site causes them to be sent as plain text over the internet.
The second point is equally worrying, as it is effectively saying that you are responsible for anything that happens through your account. So if an attacker exploits the flaws in the O2 web site (not difficult) and manages to log into your account, then you will be held responsible for anything that they do. In that respect, it seems as if O2 are not doing enough to protect its own customers.
O2 semi fix the problem
Some time (in the afternoon, possibly) on 18th July 2002, O2 eventually fixed their security problem. Password information is now dealt with correctly via the HTTPS protocol. This had taken 4 days to fix since our discovery.
So, problem solved? Not really. We think that O2 should advise their customers to now change their passwords immediately. Making things secure now is not going to stop unauthorised account access if some nasty person has already stolen your login details! (and it's possible the flaw had been present long before our discovery...) So the following section details some of our recommendations that O2 remain to carry out: -
What O2 should still do (18th July)
We believe that O2 should still carry out the following actions:-
- Admit that a security flaw existed by notifying all of its customers about basic details of the security flaw so that they are aware of what has happened and what the implications are.
- The above point should, understandably, include updating of customer passwords so they are no longer vulnerable from past sniffing attacks.
- Last, but not least, they should not rely on the time and effort of their own customers to detect security problems on their own web site. It was by chance that this was discovered, and the flaw may have been present for longer than we believe. Such a trivial flaw should have been spotted by the web site designers - there is simply no excuse.
Document History
This document was created on 14th July 2002 and is believed to be the first such report. We have not recieved any news from O2 regarding this matter, despite this page having been visited thousands of times.
We have received lots of emails about this page, most of which express bad vibes towards O2 due to poor customer support and lack of web site availability. Some of the emails were even job offers from rival companies to O2. Still no word from O2, though.
Interestingly enough, I received a phone call from O2 a week later (about something completely unrelated to this page) and the employee didn't even seem to know about this security problem!
The author of this page may be contacted via email at the address below.
Search this site
Copyright Paul Mutton 2001-2013
http://www.jibble.org/
Feedback welcomed
