[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] FON (fon.com) - Crappy security policy part II
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] FON (fon.com) - Crappy security policy part II
- From: Anonymous via the Cypherpunks Tonga Remailer <nobody@xxxxxxxxxxxxxx>
- Date: Sun, 1 Oct 2006 19:05:13 +0200 (CEST)
FON (www.fon.com) is some semi-free wifi service. Members contribute
their connection and allow other FON users to use their connections
for free or small money (depends, the users have to contribute their
connection to get free access).
Although the users have to identify at the hotspot, we have
problem #1:
===========
The police would'nt care that you share your internet connection when
they find your IP in some logs related to hacking, copyright issues,
child porn or whatever. They will first confiscate your equipment and
ask then.
problem #2:
===========
It is or was possible to steal anyone's credentials:
http://fon.freddy.eu.org/pcap-decoder/howto/
problem #3:
===========
At the time, when I realized the existance of FON, it was possible to
register with fake e-mail addresses, because they had a lame
verification mechanism (something like
http://fon.com/verify.php?email=president@xxxxxxxxxxxxxx). I
successfully registered dozens of fake accounts that way and all these
accounts still work. At least that hole has been fixed in the
meantime.
However. Although problem #2 has been made public, no "please set a
new password" requests have been sent to the subscribers. Although
they seem to know that they had problem #3 (otherwise they would'nt
have fixed it), they did no approach to *verify* their user identies
(my "regular" FON account has not been verified and my fake accounts
still work).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/