Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




232 posts

Master Geek
+1 received by user: 10

Trusted
Subscriber

Topic # 223012 7-Sep-2017 21:50
Send private message quote this post

I just realised when I sign into My Vodafone for my prepay number and select Profile > My details


It takes me to a page with URL [removed].


This does not seem very secure?


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
6536 posts

Uber Geek
+1 received by user: 2943

Moderator
Trusted
Subscriber

  Reply # 1860590 7-Sep-2017 21:53
Send private message quote this post

Requires me to login.

 

Edit: Confirmed. Pretty serious.





Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router Guide | Electric KiwiCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial




232 posts

Master Geek
+1 received by user: 10

Trusted
Subscriber

  Reply # 1860591 7-Sep-2017 21:55
Send private message quote this post

Yes only works if I am already logged into my account and then change the url


 
 
 
 


404 posts

Ultimate Geek
+1 received by user: 83

Subscriber

  Reply # 1860598 7-Sep-2017 22:20
Send private message quote this post

Pretty serious issue if that's the case..

I'd recommend notifying VF directly and you (or Mod) removing specifics from your above post until they've had a chance to look into it - responsible disclosure.

BDFL - Memuneh
58730 posts

Uber Geek
+1 received by user: 10122

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1860600 7-Sep-2017 22:30
Send private message quote this post

I have messaged @MikeHales and emailed a VF contact. I have not tested as on mobile but have removed the URL for now.




6536 posts

Uber Geek
+1 received by user: 2943

Moderator
Trusted
Subscriber

  Reply # 1860602 7-Sep-2017 22:43
Send private message quote this post

DeroyBoy:

 

Yes only works if I am already logged into my account and then change the url

 

I have confirmed it with several mobile numbers. Loads anyone with an active My Vodafone account. Pretty serious...





Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router Guide | Electric KiwiCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial


426 posts

Ultimate Geek
+1 received by user: 169

Trusted
Vodafone NZ

  Reply # 1860603 7-Sep-2017 22:49
Send private message quote this post

Thanks for the heads up, will check with product team.




Channel Manager, Help & Support @ Vodafone NZ


'That VDSL Cat'
6421 posts

Uber Geek
+1 received by user: 1225

Trusted
Spark
Subscriber

  Reply # 1860618 8-Sep-2017 00:30
Send private message quote this post

Indeed quite serious, Looks patched in some sections, broken in others.

 

 

 

I'd personally be pushing for my vodafone to go into maintenance mode straight away in the short term if i was on that side of the fence... 

 

 

 

Edit: 

 

further checks, seems only pure angler exposed sections of the site are abusable, the sections that do their own callout pickup on the issue and simply silently fail.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


6536 posts

Uber Geek
+1 received by user: 2943

Moderator
Trusted
Subscriber

  Reply # 1860619 8-Sep-2017 00:42
Send private message quote this post

hio77:

 

Edit: 

 

further checks, seems only pure angler exposed sections of the site are abusable, the sections that do their own callout pickup on the issue and simply silently fail.

 

Didn't used to do that. I successfully updated some details through it (and confirmed this).





Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router Guide | Electric KiwiCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial


'That VDSL Cat'
6421 posts

Uber Geek
+1 received by user: 1225

Trusted
Spark
Subscriber

  Reply # 1860620 8-Sep-2017 00:45
Send private message quote this post

michaelmurfy:

 

 

 

Didn't used to do that. I successfully updated some details through it (and confirmed this).

 

 

 

 

Maybe it was CIRL related to load-balancing? i didn't really go much further than testing quickly, it is 12.45am afterall....

 

Otherwise; bits are fixed already which is great, but still concerning that it still exists elsewhere.

 

 

 

Retested:

 

 

Definitely is not working on jsloading objects.  (my number is blanked not the /targeted/ number)





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


404 posts

Ultimate Geek
+1 received by user: 83

Subscriber

  Reply # 1860623 8-Sep-2017 01:19
Send private message quote this post

hio77:

 

I'd personally be pushing for my vodafone to go into maintenance mode straight away in the short term if i was on that side of the fence... 

 

 

 

 

+10

 

Wouldn't take long to crawl a good chunk of the address space. This is how you end up on https://haveibeenpwned.com/PwnedWebsites#Vodafone

 

Or at the very least this afternoon's news frown


BDFL - Memuneh
58730 posts

Uber Geek
+1 received by user: 10122

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1860637 8-Sep-2017 07:11
One person supports this post
Send private message quote this post

I have hidden this thread to give Vodafone some time to work on a solution or interim workaround.

 

It seems the Profile page is currently being redirected back to the connections page (the list of phone numbers), which is not affected by this fault.





BDFL - Memuneh
58730 posts

Uber Geek
+1 received by user: 10122

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1860641 8-Sep-2017 07:26
2 people support this post
Send private message quote this post

For those who think this isn't a big deal... While this page was spitting out other people's details someone could write a script to login as a valid user and simply go through a range of numbers. Should a response with valid data came back the data could be extracted and stored away. Data including name, email address and birth date could be used for identity theft, phishing scams, spam or more.

 

If you use a special email address for each service, someone could call you pretending to be from Vodafone and by saying that's your email address it could get your trust and ask for things like "We need your card number to confirm", etc.

 

There are lots of bad things that could happen from some customer data.

 

Nice to see these pages are now locked. Security and performance are features, not after thoughts. Whomever is developing/updating these pages should have a formal testing framework and have both these tenets in mind.





BDFL - Memuneh
58730 posts

Uber Geek
+1 received by user: 10122

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1860642 8-Sep-2017 07:39
3 people support this post
Send private message quote this post

Vodafone has confirmed this was changed at 3am to prevent this exploit happening.

Thanks to OP for reporting.

In the future it would be good if this kind of thing was passed quietly to a mod who will contact people in the affected companies. This is just to prevent details becoming public before a fix is implemented.







232 posts

Master Geek
+1 received by user: 10

Trusted
Subscriber

  Reply # 1860644 8-Sep-2017 07:43
Send private message quote this post

Good to see issue resolved quickly. Will do as you suggest in future.

13074 posts

Uber Geek
+1 received by user: 2156

Trusted
Subscriber

  Reply # 1860650 8-Sep-2017 08:01
One person supports this post
Send private message quote this post

Vodafone might like to retain Kordia Security Services. I've found them excellent.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

FUJIFILM introduces X-E3 mirrorless camera with wireless connectivity
Posted 18-Sep-2017 13:53


Vodafone announces new plans with bigger data bundles
Posted 15-Sep-2017 10:51


Skinny launches phone with support for te reo Maori
Posted 14-Sep-2017 08:39


If Vodafone dropping mail worries you, you’re doing online wrong
Posted 11-Sep-2017 13:54


Vodafone New Zealand deploy live 400 gigabit system
Posted 11-Sep-2017 11:07


OPPO camera phones now available at PB Tech
Posted 11-Sep-2017 09:56


Norton Wi-Fi Privacy — Easy, flawed VPN
Posted 11-Sep-2017 09:48


Lenovo reveals new ThinkPad A Series
Posted 8-Sep-2017 14:37


Huawei passes Apple for the first time to capture the second spot globally
Posted 8-Sep-2017 10:45


Vodafone initiative enhances te reo Maori pronunciation on Google Maps
Posted 8-Sep-2017 10:40


Voyager Internet expand local internet phone services company with Conversant acquisition
Posted 6-Sep-2017 18:27


NOW Expands in to Tauranga
Posted 5-Sep-2017 18:16


Windows 10 Fall Creators Update coming Oct. 17
Posted 4-Sep-2017 14:10


Garmin introduce Garmin vivoactive 3
Posted 1-Sep-2017 18:38


Kiwibank wastes $90 million on software – Reseller News
Posted 1-Sep-2017 13:45



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.