Thursday, July 4, 2013

Internode Id Increment Security Vulnerability

I was looking at the tracking information for a new phone I've ordered and I noticed that the id in the URL was relatively short, and that the site requires no authentication. That combination is always a red flag.

The implication is that the ids must be generated sequentially in order to fit into such a small address space. So, I incremented a number or two, and of course, I could then see tracking information and serial numbers for other people's phones.

By itself, that doesn't seem too bad, because what could I really do with that?

Oh wait, there's a helpful link to view the tracking on Star Track's own site. With the same vulnerability. With a phone number in the reference field.

Hmmm. So, with a little social engineering, it should be possible to call up the phone number, impersonating the delivery company when you know they have already received the tracking email, give them the incorrect address in order to get them to correct you, and wait for some ill-gotten gains.

As most security issues require a precise vector of issues for a manifestation of the issues to occur, there is the final step to protect you: The delivery company requires id and/or a matching signature to make the delivery.

Well, don't get me started on that. I'll blog about it at some point, but I'm still a little too angry, so here's the teaser version: Someone went and picked up my 10" Nexus tablet from the Fedex distribution centre before it could be delivered all the way to me.

So, I'm hoping Internode will fix this issue, and encourage Star Track to do the same, as I don't want any more deliveries to be stolen. The smallest, quickest fix they could do would be to not link through to Star Track and keep a mapping of their own non-sequential reference numbers to Star Track's, so that they don't show the same reference numbers in the front-end as Star Track does, thereby de-coupling themselves from the rest of the problem until that can also be fixed. Star Track obviously needs to both choose better reference numbers as well as not show phone numbers in the front-end.

No comments:

Post a Comment