Pretty serious security flaw with online bills

Forums › Spark New Zealand (including Skinny and BigPipe) › Pretty serious security flaw with online bills

1 | 2 | 3

2806 posts

Uber Geek

Trusted

#1490503 11-Feb-2016 15:23

andrew027:

@dclegg: Spark have informed me that these URLs expire.

Yes, they expire after 18 months.

18 months?! If true, then they basically don't expire for all intents and purposes of ID theft.

surfisup1000

5288 posts

Uber Geek

#1490586 11-Feb-2016 16:06

dclegg:

And we're all OK with this?

Seems like a pretty serious breach of personal data. Email is far from a secure medium. At the very least, it should require an authenticated session before allowing it to be viewed.

Follow up: Is there a way to opt out of these electronic bills? I can't seem to find any option to do so via MySpark.

I guess if someone is making lots of dodgy 0900 for sex calls, then it looks a bit off if someone gets your invoice. But, in the days of internet do those even exist any longer?

How do I get the bill of someone considerably more famous than myself? It is an issue for them perhaps.

richms

28189 posts

Uber Geek

Trusted

Lifetime subscriber

#1490618 11-Feb-2016 16:15

The issue I have is that there is enough info on a bill to be able to initiate a number port, and that is apparently an acceptable source of 2FA for banks and stuff, so while you are on hold with spark about why your phone isnt working, someone could be cleaning out your accounts, logging into the google etc with a SMS 2 factor etc.

Richard rich.ms

dclegg

2806 posts

Uber Geek

Trusted

#1490622 11-Feb-2016 16:24

surfisup1000:

I guess if someone is making lots of dodgy 0900 for sex calls, then it looks a bit off if someone gets your invoice. But, in the days of internet do those even exist any longer?

How do I get the bill of someone considerably more famous than myself? It is an issue for them perhaps.

Privacy issues aside, what if someone gets hold of your bill and leverages the information to gain access to your Spark account? They then use this information to gain access to other services you own. This is how identity theft starts.

We obviously need it to become a more common occurrence here in New Zealand before people start to be more proactive or concerned about it. But it is a big deal overseas.

mendit

13 posts

Geek

#1490625 11-Feb-2016 16:25

Good news. Hopefully someone opens my bill and pays it for me

timmmay

20582 posts

Uber Geek

Trusted

Lifetime subscriber

#1490630 11-Feb-2016 16:42

mendit:

Good news. Hopefully someone opens my bill and pays it for me

Or uses it to get more information about you from Spark through social engineering, then uses that information to call your bank and drain your bank account.

cokemaster

Exited
4929 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#1490654 11-Feb-2016 17:18

When you log in to my spark, you can access historic bills upto 18 months or so.
If you click on the email link, believe there is a 1 month period. Have tested old emails myself and got the following which indicates that bill links do expire.

webhosting

Loose lips may sink ships - Be smart - Don't post internal/commercially sensitive or confidential information!

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

hashbrown

463 posts

Ultimate Geek

#1490661 11-Feb-2016 17:37

If someone has access to your email they can initiate a password reset and get all your bills.

Email is sufficient for this stuff. In most cases the email will be sent from Spark to Yahoo/Google/Microsoft using opportunistic TLS and downloaded by the user using pops/imaps/https. If you don't trust those companies, you've got bigger issues.

nakedmolerat

4629 posts

Uber Geek

Trusted

Lifetime subscriber

#1491234 12-Feb-2016 15:56

@dclegg:

Privacy issues aside, what if someone gets hold of your bill and leverages the information to gain access to your Spark account? They then use this information to gain access to other services you own. This is how identity theft starts.

How do you go about doing this?

Other than in the movie, it requires a bit more than pressing a few button on the keyboards.

dclegg

2806 posts

Uber Geek

Trusted

#1491261 12-Feb-2016 16:30

nakedmolerat:

How do you go about doing this?

Other than in the movie, it requires a bit more than pressing a few button on the keyboards.

Going about getting the bill? Or leveraging the information once done?

For the former, it'd be trivial to write an app to perform a HTTP GET using the base URL, incrementing the UUID for each request. For any responses that return a PDF, you have a hit. Save that to file, and use the information later. If the URLs really do take 18 months to expire, it may be feasible to be able to crack a few of these with enough hardware thrown at the problem (disclaimer: I've not done the math on this, but it would be interesting to do so).

And nefarious cracking attempts aside, what about accidental sharing of the URL? E.g. sending it to your partner via email or TXT, but sending to the wrong recipient.

For the latter, there is enough information on there to use social engineering to gain access to the users Spark account. And considering the amount of users out there that use an ISP email (we still do), that will unlock access to even more of the users information and accounts.

I'll say it again, I'm quite surprised that more people aren't concerned about this. I'd expect it from the general public, but not from the more technically minded folks here. The same that do acknowledge that companies storing passwords in plain text in their databases are a security risk.

richms

28189 posts

Uber Geek

Trusted

Lifetime subscriber

#1491264 12-Feb-2016 16:34

I would assume that there are brute force prevention measures on the bills as you have on a password etc. It is a huge string too.

Richard rich.ms

dclegg

2806 posts

Uber Geek

Trusted

#1491267 12-Feb-2016 16:41

richms:

I would assume that there are brute force prevention measures on the bills as you have on a password etc. It is a huge string too.

I would've also assumed that clicking on my bill URL would throw up an authentication challenge, but this assumption was incorrect (and what motivated me to investigate further). So I wouldn't necessarily assume this is true.

One such brute force prevention measure would be to have expiring URLs. But if these do really last 18 months, it's almost as bad as having no expiry.

I concede it is a huge string. So as I said, it would be interesting to crunch the numbers to see how long it would take to generate a successful hit.

ubergeeknz

3344 posts

Uber Geek

Trusted

Vocus

#1491272 12-Feb-2016 16:51

dclegg:

richms:

I would assume that there are brute force prevention measures on the bills as you have on a password etc. It is a huge string too.

I would've also assumed that clicking on my bill URL would throw up an authentication challenge, but this assumption was incorrect (and what motivated me to investigate further). So I wouldn't necessarily assume this is true.

One such brute force prevention measure would be to have expiring URLs. But if these do really last 18 months, it's almost as bad as having no expiry.

I concede it is a huge string. So as I said, it would be interesting to crunch the numbers to see how long it would take to generate a successful hit.

it depends on how they're generating it (how much entropy there is) and how long it is.

If it is a 128 bit GUID and it's securely generated, then the answer is "a very long time" and certainly it would be noticed

nakedmolerat

4629 posts

Uber Geek

Trusted

Lifetime subscriber

#1491279 12-Feb-2016 17:05

@dclegg:

Going about getting the bill? Or leveraging the information once done?

For the former, it'd be trivial to write an app to perform a HTTP GET using the base URL, incrementing the UUID for each request. For any responses that return a PDF, you have a hit. Save that to file, and use the information later. If the URLs really do take 18 months to expire, it may be feasible to be able to crack a few of these with enough hardware thrown at the problem (disclaimer: I've not done the math on this, but it would be interesting to do so).

As noted above - the link only lasts for 1 month. It may be feasible still - but the effort is worth it? Really?

And nefarious cracking attempts aside, what about accidental sharing of the URL? E.g. sending it to your partner via email or TXT, but sending to the wrong recipient.

You can make the same error with PDF attachment.

For the latter, there is enough information on there to use social engineering to gain access to the users Spark account. And considering the amount of users out there that use an ISP email (we still do), that will unlock access to even more of the users information and accounts.

Sure - this however depends on the information that they need. It is probably easier to get that from somewhere else than cracking those URL just to get your phone bills.

I'll say it again, I'm quite surprised that more people aren't concerned about this. I'd expect it from the general public, but not from the more technically minded folks here. The same that do acknowledge that companies storing passwords in plain text in their databases are a security risk.

As mentioned many times in this thread - the risk is no worse than resetting your password using email address etc.

richms

28189 posts

Uber Geek

Trusted

Lifetime subscriber

#1491281 12-Feb-2016 17:07

I think the 18 month thing could do with looking at however. That seems absurdly long. Accessing past bills is an ideal way to make people log in etc when you can then present them with offers etc so I would expect a link to become invalid as soon as the next bill is issued.

Richard rich.ms

1 | 2 | 3