[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bitdefender Internet Security -



There seems to be some security issues with the way Bitdefender Internet 
Security 2015 software (Build 18.20.0.1429) interacts with its myBitdefender 
online portal.

Issues:

1) Possible partial information disclosure privacy issue of users' 
myBitdefender account credentials when using the SAFEGO functionality for 
Facebook.
2) Bruteforce of passwords for myBitdefender accounts are possible using the 
method below.
 
ISSUE 1

To illustrate issue 1, I have created a spare account on myBitdefender at 
https://my.bitdefender.com with the following credentials:

Login ID: jerold.usa@xxxxxxxxx
Password: password1

Upon clicking on the SAFEGO "Reports for Facebook" link from Bitdefender's user 
interface under the "Tools" tab, a web URL link will be open:

https://my.bitdefender.com/en_US/my/#page=safego.facebook_index&?login=jerold.usa@xxxxxxxxx&passmd5=7c6a180b36896a0a8c02787eeafb0e4c&lang=en_us

Note the HTTP parameter passmd5 which contains the value 
"7c6a180b36896a0a8c02787eeafb0e4c". It is a simple trivial hashing of the 
plaintext password "password1" using the MD5 algorithm which "broken" in some 
sense. 

A malicious attacker that has gotten hold of the hash can do a simple reverse 
lookup using the many available MD5 hash databases online.

Imy simple test I used http://www.md5online.org/with the hash 
"7c6a180b36896a0a8c02787eeafb0e4c" and was given the plaintext password of 
value "password1".

ISSUE 2:

Another point of concern is the HTTP response that was received when the HTTP 
GET request with valid credentials below was sent:

GET 
/lv2/account?login=jerold.usa%40gmail.com&passmd5=7c6a180b36896a0a8c02787eeafb0e4c&type=userpass
 HTTP/1.1
Host: my.bitdefender.com
Connection: keep-alive
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/39.0.2171.99 Safari/537.36
Referer: https://my.bitdefender.com/login
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: 
com.bitdefender.mybd.lang=%7B%22lang%22%3A%7B%22name%22%3A%22en_us%22%7D%2C%22expire%22%3Anull%7D;
 _ga=GA1.3.1523623201.1421739258; _gat=1

The HTTP response was a JSON response from the server:

{
  "token": "Wa6QqAuiUlrKRYcvnZZIEGI00TM", 
  "passmd5": "7c6a180b36896a0a8c02787eeafb0e4c", 
  "country_id": "192", 
  "login": "jerold.usa@xxxxxxxxx", 
  "preferences": "{\"lang\": \"en_us\"}"
}

Notice that the passmd5 parameter is passed back in clear. Also, it is noted 
that even after multiple logouts, the token value returned is still the same.

Passing a HTTP GET request below with invalid credentials has the following 
behavior:

GET 
/lv2/account?login=jerold.usa%40gmail.com&passmd5=7c6a180b36896a0a8c02787eeafb0e4d&type=userpass
 HTTP/1.1
Host: my.bitdefender.com
Connection: keep-alive
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/39.0.2171.99 Safari/537.36
Referer: https://my.bitdefender.com/login
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: 
com.bitdefender.mybd.lang=%7B%22lang%22%3A%7B%22name%22%3A%22en_us%22%7D%2C%22expire%22%3Anull%7D;
 _gat=1; _ga=GA1.3.1523623201.1421739258; 
com.bitdefender.mybd=%7B%22user%22%3A%22jerold.usa@xxxxxxxxx%22%2C%22token%22%3A%22Wa6QqAuiUlrKRYcvnZZIEGI00TM%22%2C%22country_id%22%3A%22192%22%2C%22lang%22%3A%7B%22name%22%3A%22en_us%22%7D%2C%22expiry%22%3A1421742342979%2C%22remember%22%3Afalse%7D

The HTTP response was a JSON response from the server:

{
  "captcha": "false", 
  "error": "wrong_login"
}

Notice that the server responded with wrong login, indicating that the login 
failed. There is no form of captcha that tracks the number of failed logins 
before locking the account for a said period of time, which is ideal for a 
bruteforce attack.

Bruteforce attack scenario:

1. Obtain a dictionary wordlist of md5 hashes which is easily available online. 
A quick Google shows that some wordlists have more than 376,484,923,572 hashes.
2. Obtain the target's email address.
3. Code a script to send the GET request as below, substituting the login and 
passmd5 HTTP parameters with the target's email address and hashes from the 
wordlist. Alternatively, BurpSuite's intruder would be perfect for this case. 
Load the wordlist and use sniper-mode to start the bruteforce.
4. Observe the HTTP response. if a response similar to the one below is found, 
the account has been compromised, allowing the attacker access to all 
Bitdefender online functionalities.

{
  "token": "Wa6QqAuiUlrKRYcvnZZIEGI00TM", 
  "passmd5": "7c6a180b36896a0a8c02787eeafb0e4c", 
  "country_id": "192", 
  "login": "jerold.usa@xxxxxxxxx", 
  "preferences": "{\"lang\": \"en_us\"}"
}

Seeing how Bitdefender popularity has grown in recent years, I would expect a 
"more secure" approach to handling such data...

Regards,
Jerold