Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsSpark New Zealand (including Skinny and BigPipe)Pretty serious security flaw with online bills
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
dclegg

2806 posts

Uber Geek
+1 received by user: 810

Trusted

  #1490503 11-Feb-2016 15:23
Send private message

andrew027:

 

@dclegg: Spark have informed me that these URLs expire. 

 

Yes, they expire after 18 months. 

 

 

18 months?! If true, then they basically don't expire for all intents and purposes of ID theft.



surfisup1000
5288 posts

Uber Geek
+1 received by user: 2159


  #1490586 11-Feb-2016 16:06
Send private message

dclegg:

 

And we're all OK with this?

Seems like a pretty serious breach of personal data. Email is far from a secure medium. At the very least, it should require an authenticated session before allowing it to be viewed.

Follow up: Is there a way to opt out of these electronic bills? I can't seem to find any option to do so via MySpark.

 

 

 

 

I guess if someone is making lots of dodgy 0900 for sex calls, then it looks a bit off if someone gets your invoice.   But, in the days of internet do those even exist any longer?

 

How do I get the bill of someone considerably more famous than myself? It is an issue for them perhaps. 

richms
29099 posts

Uber Geek
+1 received by user: 10211

Trusted
Lifetime subscriber

  #1490618 11-Feb-2016 16:15
Send private message

The issue I have is that there is enough info on a bill to be able to initiate a number port, and that is apparently an acceptable source of 2FA for banks and stuff, so while you are on hold with spark about why your phone isnt working, someone could be cleaning out your accounts, logging into the google etc with a SMS 2 factor etc.




Richard rich.ms



dclegg

2806 posts

Uber Geek
+1 received by user: 810

Trusted

  #1490622 11-Feb-2016 16:24
Send private message

surfisup1000: 

 

I guess if someone is making lots of dodgy 0900 for sex calls, then it looks a bit off if someone gets your invoice.   But, in the days of internet do those even exist any longer?

 

How do I get the bill of someone considerably more famous than myself? It is an issue for them perhaps. 

 

 

Privacy issues aside, what if someone gets hold of your bill and leverages the information to gain access to your Spark account? They then use this information to gain access to other services you own. This is how identity theft starts. 

We obviously need it to become a more common occurrence here in New Zealand before people start to be more proactive or concerned about it. But it is a big deal overseas.

mendit
13 posts

Geek
+1 received by user: 6


  #1490625 11-Feb-2016 16:25
Send private message

Good news. Hopefully someone opens my bill and pays it for me

timmmay
20858 posts

Uber Geek
+1 received by user: 5350

Trusted
Lifetime subscriber

  #1490630 11-Feb-2016 16:42
Send private message

mendit:

 

Good news. Hopefully someone opens my bill and pays it for me

 

 

Or uses it to get more information about you from Spark through social engineering, then uses that information to call your bank and drain your bank account.

 
 
 
 

Stream your favourite shows now on Apple TV (affiliate link).
cokemaster
Exited
4937 posts

Uber Geek
+1 received by user: 1089

Retired Mod
Trusted
Lifetime subscriber

  #1490654 11-Feb-2016 17:18
Send private message

When you log in to my spark, you can access historic bills upto 18 months or so.
If you click on the email link, believe there is a 1 month period. Have tested old emails myself and got the following which indicates that bill links do expire.

Click to see full size




webhosting

Loose lips may sink ships - Be smart - Don't post internal/commercially sensitive or confidential information!

hashbrown
463 posts

Ultimate Geek
+1 received by user: 131


  #1490661 11-Feb-2016 17:37
Send private message

If someone has access to your email they can initiate a password reset and get all your bills.

Email is sufficient for this stuff. In most cases the email will be sent from Spark to Yahoo/Google/Microsoft using opportunistic TLS and downloaded by the user using pops/imaps/https. If you don't trust those companies, you've got bigger issues.

nakedmolerat
4631 posts

Uber Geek
+1 received by user: 874

Trusted
Lifetime subscriber

  #1491234 12-Feb-2016 15:56
Send private message

@dclegg:

 

Privacy issues aside, what if someone gets hold of your bill and leverages the information to gain access to your Spark account? They then use this information to gain access to other services you own. This is how identity theft starts. 

 

How do you go about doing this? 

 

Other than in the movie, it requires a bit more than pressing a few button on the keyboards.

dclegg

2806 posts

Uber Geek
+1 received by user: 810

Trusted

  #1491261 12-Feb-2016 16:30
Send private message

nakedmolerat:

 

How do you go about doing this? 

 

Other than in the movie, it requires a bit more than pressing a few button on the keyboards.

 

 

Going about getting the bill? Or leveraging the information once done?

For the former, it'd be trivial to write an app to perform a HTTP GET using the base URL, incrementing the UUID for each request. For any responses that return a PDF, you have a hit. Save that to file, and use the information later. If the URLs really do take 18 months to expire, it may be feasible to be able to crack a few of these with enough hardware thrown at the problem (disclaimer: I've not done the math on this, but it would be interesting to do so).

And nefarious cracking attempts aside, what about accidental sharing of the URL? E.g. sending it to your partner via email or TXT, but sending to the wrong recipient.

 

For the latter, there is enough information on there to use social engineering to gain access to the users Spark account. And considering the amount of users out there that use an ISP email (we still do), that will unlock access to even more of the users information and accounts.

I'll say it again, I'm quite surprised that more people aren't concerned about this. I'd expect it from the general public, but not from the more technically minded folks here. The same that do acknowledge that companies storing passwords in plain text in their databases are a security risk. 

richms
29099 posts

Uber Geek
+1 received by user: 10211

Trusted
Lifetime subscriber

  #1491264 12-Feb-2016 16:34
Send private message

I would assume that there are brute force prevention measures on the bills as you have on a password etc. It is a huge string too.




Richard rich.ms

 
 
 
 

Stream your favourite shows now on Apple TV (affiliate link).
dclegg

2806 posts

Uber Geek
+1 received by user: 810

Trusted

  #1491267 12-Feb-2016 16:41
Send private message

richms:

 

I would assume that there are brute force prevention measures on the bills as you have on a password etc. It is a huge string too.

 

 

I would've also assumed that clicking on my bill URL would throw up an authentication challenge, but this assumption was incorrect (and what motivated me to investigate further). So I wouldn't necessarily assume this is true.

One such brute force prevention measure would be to have expiring URLs. But if these do really last 18 months, it's almost as bad as having no expiry.

I concede it is a huge string. So as I said, it would be interesting to crunch the numbers to see how long it would take to generate a successful hit. 

ubergeeknz
3344 posts

Uber Geek
+1 received by user: 1041

Trusted
Vocus

  #1491272 12-Feb-2016 16:51
Send private message

dclegg:

 

richms:

 

I would assume that there are brute force prevention measures on the bills as you have on a password etc. It is a huge string too.

 

 

I would've also assumed that clicking on my bill URL would throw up an authentication challenge, but this assumption was incorrect (and what motivated me to investigate further). So I wouldn't necessarily assume this is true.

One such brute force prevention measure would be to have expiring URLs. But if these do really last 18 months, it's almost as bad as having no expiry.

I concede it is a huge string. So as I said, it would be interesting to crunch the numbers to see how long it would take to generate a successful hit. 

 

 

it depends on how they're generating it (how much entropy there is) and how long it is.

 

If it is a 128 bit GUID and it's securely generated, then the answer is "a very long time" and certainly it would be noticed

nakedmolerat
4631 posts

Uber Geek
+1 received by user: 874

Trusted
Lifetime subscriber

  #1491279 12-Feb-2016 17:05
Send private message

@dclegg:

 

Going about getting the bill? Or leveraging the information once done?

For the former, it'd be trivial to write an app to perform a HTTP GET using the base URL, incrementing the UUID for each request. For any responses that return a PDF, you have a hit. Save that to file, and use the information later. If the URLs really do take 18 months to expire, it may be feasible to be able to crack a few of these with enough hardware thrown at the problem (disclaimer: I've not done the math on this, but it would be interesting to do so).

 

As noted above - the link only lasts for 1 month. It may be feasible still - but the effort is worth it? Really?

 

 And nefarious cracking attempts aside, what about accidental sharing of the URL? E.g. sending it to your partner via email or TXT, but sending to the wrong recipient.

 

You can make the same error with PDF attachment.

 

 For the latter, there is enough information on there to use social engineering to gain access to the users Spark account. And considering the amount of users out there that use an ISP email (we still do), that will unlock access to even more of the users information and accounts.

 

Sure - this however depends on the information that they need. It is probably easier to get that from somewhere else than cracking those URL just to get your phone bills.

 

 I'll say it again, I'm quite surprised that more people aren't concerned about this. I'd expect it from the general public, but not from the more technically minded folks here. The same that do acknowledge that companies storing passwords in plain text in their databases are a security risk. 

 

As mentioned many times in this thread - the risk is no worse than resetting your password using email address etc.

richms
29099 posts

Uber Geek
+1 received by user: 10211

Trusted
Lifetime subscriber

  #1491281 12-Feb-2016 17:07
Send private message

I think the 18 month thing could do with looking at however. That seems absurdly long. Accessing past bills is an ideal way to make people log in etc when you can then present them with offers etc so I would expect a link to become invalid as soon as the next bill is issued.




Richard rich.ms

1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright