Three Information Disclosure Vulnerability

A few weeks ago, I got an email from Three asking me to fill out a survey for them, rating my satisfaction with their services. They offered “the chance to win an iPad”, so I decided I’d fill in the survey to provide some feedback (I’m generally a fairly satisfied customer).

The link opened in my default web browser (Firefox), which happened to be linked up to Burp – after filling and submitting the survey, I was able to view the requests and responses that Firefox had made during the process. After looking at these requests, I noticed something quite worrying.

The site (https://www.threemicrosites.co.uk/survey/, now closed) was making an AJAX request to an API (http://www.threemicrosites.co.uk/api/getuser/p/44xxxxxxxxxx/, where xxxxxxxxxx is the 3 phone number). The request was made over cleartext HTTP, passing my mobile phone number in the URL. The response included my 3 account number, my full name, my email address and some other account identifier. I confirmed that this was the case for other numbers by entering a friends phone number (with their permission) – sure enough, their name and contact details were presented to me.  Information from the API was presented in the following form, as JSON:

{"success":true,"id":"813xxx","user_id":"9555xxxxxx","phone":"447598xxxxxx","email":"xxxxxx@yyyyy.zzz","title":"Mr","name":"Joseph","surname":"Redfern","email_vs_sms":"xxx","timestamp":"2015-05-xx xx:xx:xx"}

Clearly, this information disclosure isn’t ideal. The ability to find out the account holder and contact details behind ANY 3 phone number could come in handy for social engineering attacks, stalking, spamming etc. It would also be possible to scrape the API and build up a database of 3 customers by brute-forcing the API using H3G Number Prefixes, which can be found here – such a database could be very valuable to Three’s competitors,  marketing companies etc. I’d consider it a fairly severe breach of privacy.

The bizarre thing is that the survey didn’t appear to use any of the information returned by the API – the thank you page had no reference of my name, email address or account number.

I reported the issue to Three customer support, and requested that I be notified once their security team had acknowledged the issue. Customer Support said that they’d pass the request on, but that they couldn’t promise anything – sadly, they didn’t bother to get back to me (and I didn’t even win their competition!). The survey has now been taken down, along with the offending API. I can’t be sure if this was in response to these issues, or if the closure was planned – but either way, this no longer seems to be a problem.

Video Demo:

GNUPanel on Debian Squeeze

I was recently playing around with the “GNUPanel” Hosting control panel software. While trying to install the dependencies (with the install-dep.sh file), I encountered the error:

Debian version not supported

Even though the GNUPanel site seemed to say that Debian Squeeze was supported.

A quick look at the install-dep.sh file showed that it relied on the mawk unix utility.

By running apt-get install mawk, we can solve this problem and continue with the installation.


UPDATE:

I’ve now had a chance to play around with GNUPanel a bit more, and unfortunately, I don’t think it’s fully up to scratch. The installation process was pretty clunky – the automated installed script forced me to manually confirm the installation of at least 10 groups of packages. Once the software was installed, I had to guess at the username – and the web interface was also pretty…. “ropey”. These are mainly minor issues, and I’m sure that with some TLC, the project can progress, and become much more useable.

Diaspora* Pod

So, I’ve set up a Diaspora* pod. Diaspora* is a service similar to twitter/facebook, but it with (at least) one crucial difference. Rather than being run by one big company who has control over everyones data, many nodes (known as pods) are run by groups or individuals. Depending on how you see it, this could mean that your data is more secure – if you trust the owner of the pod, then you know that your information will not be sold or traded with anyone. I’m not expecting everyone in the world to abandon other social media sites – but it’s something you can try out if you’re interested. There is a lot more information about Diaspora* here.

I have recently acquired a few domain names, one of which is 23p.net. While this doesn’t really mean anything, I have decided to use it as the name of my Diaspora* pod because it is short, and easy to remember.

I hope to do a more technical writeup soon, but in the mean time, why not check it out? My Diaspora Username is josephredfern@23p.net.

LogBox

So, I’ve decided to try and publish more things to GitHub this year – starting with LogBox. LogBox will hopefully soon become a collection of scripts that can be used to monitor the performance of websites hosted on shared hosting servers. At the moment, LogBox contains only the one script, which goes by the name of “loadavg”. If you’ve every used a *nix machine before, you’ll probably know what the load average is – it is a measurement of the current CPU load, usually over the last 1, 5 and 15 minutes.

The loadavg script will check the load average of the server which it is being run on, and if the reported load averages cross a certain threshold, then a warning email will be sent to an email address of your choice. In addition to this, the current load averages will be logged to a MySQL Database.

The script is designed to be run as a cronjob (which most shared hosts support) – however, if cron is not available then it is possible to use “fakecron”, which is available here: http://quirm.net/2008/10/02/fake-cron/.

Click Here to check out LogBox on GitHub