[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] United Airways(r) united.com Insecure Transmission of User Credentials
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] United Airways(r) united.com Insecure Transmission of User Credentials
- From: Michael Scheidell <michael@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 13 Jul 2014 11:58:18 +0000
United Airways(r) united.com Insecure Transmission of User Credentials
Revision Date: May 6th, 2014
Reason for Revision: Issue has been fixed by united.com
Systems: www.united.com
Severity: Critical
Category: Information Disclosure
Author: Michael Scheidell, CCISO – Managing Director, Security Privateers
Original Public Release Date: June 30th, 2014.
Notifications: April 29, 2014 (United Airlines, FBI InfraGard, Miami ECTF)
Notifications: April 31, 2014 (Miami ETCF Forwarded to USSS, DHS and Chicago
ECTF)
Notifications: May 5th, 2014. Update sent to MECTF and United Airlines
Discussion: (From United.com’s web siteprivacy policy)
Privacy Policy
Your privacy is important to us
United Airlines is committed to protecting the privacy and personal data it
receives from customers. We want you to know that when you use one of the
United family Internet websites, and when you provide us with information
offline, the privacy of your personally identifiable information will be
respected and protected.
Vulnerability: Confidential login information, including password is
transmitted in plain text
This vulnerability has similar scope and threat as the HeartBleed bug. Even
though this exploit does not depend on the HeartBleed bug, it still has the
potential to disclose confidential information that the user would reasonably
assume to be sensitive or, in combination with their username, would be
considered private, unpublished personal information.
The Home page of www.united.com has a link to a ‘Sign in’ page in the upper
right hand corner clicking on this link brings the user to another page, an
html form that requests userlogin and password. Source code reveals that ‘Sign
in (Secure)’ button links to http, not https page:
<div><span id="ctl00_CustomerHeader_spanNotSignedIn"><a
id="ctl00_CustomerHeader_linkSignIn" href="apps/account/account.aspx">Sign
In</a> | </span><a id="ctl00_CustomerHeader_linkMyAccount"
href="apps/account/account.aspx">My Account</a> | <a accesskey="9"
href="content/Contact/default.aspx">Contact Us</a></div>
When you select ‘Sign in’, you are presented with a screen at url:
http://www.united.com/web/en-US/apps/account/account.aspx and asked to log in.
The request is for MileagePlus Number or Username:
PIN or Password:
And the ‘submit’ button is labeled ‘Sign In (Secure)’.
First thing to note is that this is an http (plain text, unencrypted) webpage,
second thing to note is that the submit button calls a standard ‘POST’ which
when the user presses the ‘Sign In (Secure)’ button, the information is
transmitted from the user’s computer across the internet in plain text.
<body id="ctl00_bodyMain" onunload="PurchaseAbandon();">
<form name="aspnetForm" method="post" action="signin.aspx"
onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">
I suspected that there might be an issue with this not directing to or using
SSL, so I enabled Microsoft Message Analyzer (Instead of Wireshark), selected
proxy mode and watched the transactions. It is clear, in packet #45 of the
packet trace that the username and password that were entered into the above
form were sent to www.united.com in plain text.
For information on how your information is stolen on open, unencrypted Wifi see
'Stalker: A creepy look at you, online'.
Threat: Unauthorized person can obtain the confidential credentials of an
authorized user. The combination of these vulnerabilities, the disclosure of
confirmation number, flight information, username and password pose a
significant threat to the traveler. In addition to flight information, the
united.com web site allows a logged on user the ability to view Full Name, Home
Address, Phone Numbers, email address, birthdate, and any government issued ID
such as passport number, redress number of Global Entry/TSA precheck number.
This is not just a theoretical threat as the danger to a frequent flyer is
increased due to the use of public/free unencrypted WiFi in airports, VIP
lounges, coffee houses and hotels. It is due to the ease of interception of
http/web traffic that https, ssl encryption was mandated for PCI compliant web
sites.
Exploit: A packet sniffer installed on a hub, gateway, router, switch or
computer could be used to read information along with easily obtained software
that is designed to collect information from unencrypted wireless networks.
Risk: United services 16 million flyers a year. If an Unauthorized person used
the above information to log in, they can obtain additional confidential
information on the web site such as name, phone number, birth date, address,
email address, TSC precheck /known traveler number, and information on past and
future travel plans. An unknown number of these flyers have used united.com
since the introduction of this vulnerability. Each one of these users is at
risk of identity theft, email spam and stalking. Terrorists may use this
information to obtain or forge boarding documents.
Control: United.com redirects all web traffic on mobile devices to an https
platform which encrypts traffic. United.com should use this same control on
normal laptop and workstation traffic, or at the very least, redirect login
information to an encrypted, https enabled web form. As of May 5th, United has
updated the login page to submit the user’s information to an encrypted page.
Residual Risk: Critical
If there is even a .01% chance that 100,000 users accessed their united.com
account while this vulnerability was in place, this constitutes a minimum
financial loss of $1,000,000 to cover one year of identity theft monitoring for
users.
United Airlines Response:
April 29th, United Airlines provided, via twitter, an email address to send
information to: (eservice@xxxxxxxxxx).
May 5th, in response to a second email to eservice@xxxxxxxxxx that was cc’d to
their CISO I received an email form the CISO promising to look into it, and
then later a phone call to discuss timing of a public disclosure.
May 6th, I received a call from the CISO informing me that the vulnerability
had been addressed.
MECTF Response:
Information has been forwarded to DHS, USSS and Chicago ECTF
CECTF Response:
May 5th, Spoke on the phone with Chicago ECTF
InfraGard Response:
Assigned iGuardian/ Incident number INFRAGARD-2014-00054
Solution:
United.com’s team worked on and deployed a multipart fix that addresses this
and a similar issue. The following code has been implemented on united.com’s
web site. Notice the forced direction to the https url in the post:
<body id="ctl00_bodyMain" onunload="PurchaseAbandon();">
<form name="aspnetForm" method="post"
action="https://www.united.com/web/en-US/apps/account/signin.aspx";
onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">
The fix for this specific issue was to direct the post to the recommended
https/ssl encrypted page.
United.com should determine how long this vulnerability existed, and how many
users it affected in order to provide recommended disclosure. Any united.com
client who had their information exposed should immediately change their
password, and may wish to take additional actions if they believe their account
has been compromised. Additional information on the 47 states different
breach laws, and breach notification requirements can be found here:
http://www.perkinscoie.com/statebreachchart/
Credit:
This problem was originally found by Michael Scheidell, CCISO and Managing
Director of Security Privateers. Issue was discovered during a routine booking
of a flight on United.com and verified by using Microsoft Message Analyzer to
inspect traffic on the local network. No hacking performed, no hacking
attempted.
Additional research and documentation by Almantas Kakareka, CISSP, Founder and
CTO of Demoy, Inc.
Additional Information:
A tcpdump/pcap packet of the information disclosure will only be shared with
responsible party.
We believe in responsible disclosure. Responsible companies should acknowledge
the efforts of recognized security researchers and security researchers should
avoid public disclosure of vulnerabilities before working with the vendor to
fix them.
Almantas shared this additional research and documentation:
Once you enter the correct username:password combo they redirected you to the
https site, but that is too late, because username and password were
transmitted in the clear already. I have a set of valid username and pass, so I
tried with both and highlighted username and password fields.
Incorrect credentials:
POST /web/en-US/apps/account/signin.aspx?SID=2339635A0A614FA582CBA1B6810337D2&
HTTP/1.1
Host: www.united.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0)
Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.united.com/web/en-US/apps/account/account.aspx
Cookie: VanityURL=Null; TLTSID=3B5BEC44430E6430D00DD799B0242B66;
TLTUID=3B5BEC44430E6430D00DD799B0242B66; v1st=6DD392AF0993E475;
akaau=1399241916~id=7064a883615beb764bd4137eaecb0a05;
SID=2339635A0A614FA582CBA1B6810337D2; VanityURL=;
akaau=1399241903~id=52a65a3f3488ee168c12ba0839a4fbec; dnn=false;
IP=Check=1&Country=US&City=HALLANDALE&Region=FL&PostalCode=33008-33009&LineSpeed=vhigh&CityCS=0&StateCS=0&CountryCS=0&StartIP=0&EndIP=0&Cidr=0&Continent=NA&PhoneNumberPrefix=954&TimeZone=0&Latitude=25.9808&Longitude=-80.1486&Dma=528&Msa=0&Pmsa=2680&AOL=False&Asn=20214&SldId=0&TldId=0&RegOrgId=0&CarrierId=0;
cocom=si=False; 1stSID=2339635A0A614FA582CBA1B6810337D2;
ChaseICLastPage=/web/en-US/default.aspx?root=1; culture=LanguageDesc=English;
WB03=3aX4YIzPvAjgDJeFdBzCSlN_dxYCUpPK7K-YRmHlyjAmNVxhXIIyuCA
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1869
hdnServer=.58&hdnSID=2339635A0A614FA582CBA1B6810337D2&hdnLangCode=en-US&hdnPOS=US&hdnClient=xxx.xxx.xxx.xxx&hdnInactive=false&hdnAccountNumber=&hdnAccountNumberE=&hdnAccountStatus=&__EVENTTARGET=&__EVENTARGUMENT=&hdnTiming=0.234324+seconds&__VIEWSTATE=%2FwEPDwUKMTQzNjgzNDA3NA9kFgJmD2QWAgIDDxYCHghvbnVubG9hZAUSUHVyY2hhc2VBYmFuZG9uKCk7FgICAQ9kFgQCBQ9kFgICCQ9kFgQCCQ9kFgICAQ8PFgIeC05hdmlnYXRlVXJsBTlodHRwczovL3d3dy51bml0ZWQuY29tL3dlYi9lbi1VUy9hcHBzL2FjY291bnQvZW5yb2xsLmFzcHhkZAIND2QWAgIBD2QWCAIBD2QWBAICDw8WBB4MRXJyb3JNZXNzYWdlBUYhIFBsZWFzZSBlbnRlciBhIE1pbGVhZ2VQbHVzIE51bWJlciBvciBVc2VybmFtZS48IS0tRXJyQ29kZTpWMS0tPjxici8%2BHg9WYWxpZGF0aW9uR3JvdXAFClNpZ25JbkZvcm1kZAIEDw8WBB8CBU0hIFBsZWFzZSBlbnRlciBhIHZhbGlkIE1pbGVhZ2VQbHVzIE51bWJlciBvciBVc2VybmFtZS48IS0tRXJyQ29kZTpWMTUtLT48YnIvPh8DBQpTaWduSW5Gb3JtZGQCAw9kFgJmDw8WAh8BBV9%2BL2VuLVVTL2FwcHMvYWNjb3VudC9zZXR0aW5ncy9hY2NvdW50TnVtYmVyUmVzb2x1dGlvbi5hc3B4P1NJRD0yMzM5NjM1QTBBNjE0RkE1ODJDQkExQjY4MTAzMzdEMmRkAgUPZBYEZg8PFgIfAwUKU2lnbkluRm9ybWRkAgIPDxYCHwMFClNpZ25JbkZvcm1kZAIJD2QWAmYPZBYCAgIPEA8WAh8DBQpTaWduSW5Gb3JtZGRkZAILDw8WAh4HVmlzaWJsZWhkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WBQUYY3RsMDAkQ3VzdG9tZXJIZWFkZXIkcmQxBRhjdGwwMCRDdXN0b21lckhlYWRlciRyZDIFGGN0bDAwJEN1c3RvbWVySGVhZGVyJHJkMwUcY3RsMDAkQ3VzdG9tZXJIZWFkZXIkY2hrU2F2ZQUsY3RsMDAkQ29udGVudEluZm8kU2lnbkluJHJlbWVtYmVybWUkY2hrUmVtTWVtNPCBkkF%2BqAwHBybM%2BRgjKjLqjg%3D%3D&ctl00%24CustomerHeader%24ddlCountries=US&ctl00%24CustomerHeader%24rdlang=en-us&ctl00%24CustomerHeader%24chkSave=on&ctl00%24CustomerHeader%24countryText=&ctl00%24CustomerHeader%24langText=&ctl00%24ContentInfo%24hdnReturnPage=%2Fweb%2Fen-US%2Fapps%2Faccount%2Faccount.aspx%3FSID%3D2339635A0A614FA582CBA1B6810337D2&ctl00%24ContentInfo%24SignIn%24onepass%24txtField=123123&ctl00%24ContentInfo%24SignIn%24password%24txtPassword=12313123&ctl00%24ContentInfo%24SignInSecure=Sign+In+%28Secure%29
HTTP/1.1 200 OK
Cache-Control: private,no-cache
Content-Type: text/html; charset=utf-8
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Server: Continental Airlines, Inc.
Content-Length: 29133
Date: Sun, 04 May 2014 22:13:44 GMT
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: VanityURL=; domain=united.com; path=/
Set-Cookie: TLTSID=3B5BEC44430E6430D00DD799B0242B66; domain=united.com; path=/
Set-Cookie: TLTUID=3B5BEC44430E6430D00DD799B0242B66; domain=united.com; path=/
Set-Cookie: akaau=1399241903~id=52a65a3f3488ee168c12ba0839a4fbec;
domain=united.com; path=/
Set-Cookie: SID=2339635A0A614FA582CBA1B6810337D2; domain=united.com; path=/
Set-Cookie: dnn=false; domain=united.com; path=/
Set-Cookie: cocom=si=False; domain=united.com; path=/
Set-Cookie: 1stSID=2339635A0A614FA582CBA1B6810337D2; domain=united.com; path=/
Set-Cookie: ChaseICLastPage=/web/en-US/default.aspx?root=1; domain=united.com;
path=/
Set-Cookie: culture=LanguageDesc=English; domain=united.com; path=/
Set-Cookie: WB03=3aX4YIzPvAjgDJeFdBzCSlN_dxYCUpPK7K-YRmHlyjAmNVxhXIIyuCA;
domain=united.com; path=/
Set-Cookie: akaau=1399241924~id=490df85bb4d9bdcae491b9c82c398a00; path=/
======================================
Correct credentials:
POST /web/en-US/apps/account/signin.aspx?SID=2339635A0A614FA582CBA1B6810337D2&&
HTTP/1.1
Host: www.united.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0)
Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://www.united.com/web/en-US/apps/account/signin.aspx?SID=2339635A0A614FA582CBA1B6810337D2&;
Cookie: VanityURL=Null; TLTSID=3B5BEC44430E6430D00DD799B0242B66;
TLTUID=3B5BEC44430E6430D00DD799B0242B66; v1st=6DD392AF0993E475;
akaau=1399241925~id=75eddb36b1fa81c429b9f436d037ad14;
SID=2339635A0A614FA582CBA1B6810337D2; VanityURL=;
akaau=1399241903~id=52a65a3f3488ee168c12ba0839a4fbec; dnn=false;
IP=Check=1&Country=US&City=HALLANDALE&Region=FL&PostalCode=33008-33009&LineSpeed=vhigh&CityCS=0&StateCS=0&CountryCS=0&StartIP=0&EndIP=0&Cidr=0&Continent=NA&PhoneNumberPrefix=954&TimeZone=0&Latitude=25.9808&Longitude=-80.1486&Dma=528&Msa=0&Pmsa=2680&AOL=False&Asn=20214&SldId=0&TldId=0&RegOrgId=0&CarrierId=0;
cocom=si=False; 1stSID=2339635A0A614FA582CBA1B6810337D2;
ChaseICLastPage=/web/en-US/default.aspx?root=1; culture=LanguageDesc=English;
WB03=3aX4YIzPvAjgDJeFdBzCSlN_dxYCUpPK7K-YRmHlyjAmNVxhXIIyuCA
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 2229
hdnServer=.83&hdnSID=2339635A0A614FA582CBA1B6810337D2&hdnLangCode=en-US&hdnPOS=US&hdnClient=xxx.xxx.xxx.xxx&hdnInactive=false&hdnAccountNumber=&hdnAccountNumberE=&hdnAccountStatus=&hdnTiming=0.0624876+seconds&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTQzNjgzNDA3NA9kFgJmD2QWAgIDDxYCHghvbnVubG9hZAUSUHVyY2hhc2VBYmFuZG9uKCk7FgICAQ9kFgQCBQ9kFgICCQ9kFgYCCQ9kFgICAQ8PFgQeC05hdmlnYXRlVXJsBTlodHRwczovL3d3dy51bml0ZWQuY29tL3dlYi9lbi1VUy9hcHBzL2FjY291bnQvZW5yb2xsLmFzcHgeBFRleHQFGEVucm9sbCBvbmxpbmUgaW5zdGFudGx5LmRkAgsPFgIeB1Zpc2libGVnFgJmDw8WAh8CBcMBISBZb3VyIGFjY291bnQgd2lsbCBiZSBsb2NrZWQgYWZ0ZXIgb25lIG1vcmUgdW5zdWNjZXNzZnVsIGF0dGVtcHQuIElmIHlvdSBmb3Jnb3QgeW91ciBzaWduLWluIGluZm9ybWF0aW9uLCBjbGljayBvbiBvbmUgb2YgdGhlIGxpbmtzIGJlbG93IHRvIHJlY292ZXIgb3IgY2hhbmdlIHlvdXIgaW5mb3JtYXRpb24uPCEtLUVyckNvZGU6QTg0LS0%2BZGQCDQ9kFgICAQ9kFggCAQ9kFgQCAg8PFgYeDEVycm9yTWVzc2FnZQVGISBQbGVhc2UgZW50ZXIgYSBNaWxlYWdlUGx1cyBOdW1iZXIgb3IgVXNlcm5hbWUuPCEtLUVyckNvZGU6VjEtLT48YnIvPh4PVmFsaWRhdGlvbkdyb3VwZR8DaGRkAgQPDxYGHwNoHwQFTSEgUGxlYXNlIGVudGVyIGEgdmFsaWQgTWlsZWFnZVBsdXMgTnVtYmVyIG9yIFVzZXJuYW1lLjwhLS1FcnJDb2RlOlYxNS0tPjxici8%2BHwVlZGQCAw9kFgJmDw8WBB8BBV9%2BL2VuLVVTL2FwcHMvYWNjb3VudC9zZXR0aW5ncy9hY2NvdW50TnVtYmVyUmVzb2x1dGlvbi5hc3B4P1NJRD0yMzM5NjM1QTBBNjE0RkE1ODJDQkExQjY4MTAzMzdEMh8CBS48c21hbGw%2BRm9yZ290IFlvdXIgTWlsZWFnZVBsdXMgTnVtYmVyPzwvc21hbGw%2BZGQCBQ9kFgRmDw8WBB8FZR8DaGRkAgIPDxYEHwVlHwNoZGQCCQ9kFgJmD2QWAgICDxAPFgIfBQUKU2lnbkluRm9ybWRkZGQCCw8PFgIfA2hkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WBQUYY3RsMDAkQ3VzdG9tZXJIZWFkZXIkcmQxBRhjdGwwMCRDdXN0b21lckhlYWRlciRyZDIFGGN0bDAwJEN1c3RvbWVySGVhZGVyJHJkMwUcY3RsMDAkQ3VzdG9tZXJIZWFkZXIkY2hrU2F2ZQUsY3RsMDAkQ29udGVudEluZm8kU2lnbkluJHJlbWVtYmVybWUkY2hrUmVtTWWa3vRH4I1VM0t1M2keUhs60TZORA%3D%3D&ctl00%24CustomerHeader%24ddlCountries=US&ctl00%24CustomerHeader%24rdlang=en-us&ctl00%24CustomerHeader%24chkSave=on&ctl00%24CustomerHeader%24countryText=&ctl00%24CustomerHeader%24langText=&ctl00%24ContentInfo%24hdnReturnPage=%2Fweb%2Fen-US%2Fapps%2Faccount%2Faccount.aspx%3FSID%3D2339635A0A614FA582CBA1B6810337D2%26&ctl00%24ContentInfo%24SignIn%24onepass%24txtField=xxxxxxxxx&ctl00%24ContentInfo%24SignIn%24password%24txtPassword=xxxx&ctl00%24ContentInfo%24SignInSecure=Sign+In+%28Secure%29
HTTP/1.1 302 Moved Temporarily
Cache-Control: private,no-cache
Content-Type: text/html; charset=utf-8
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Location:
https://www.united.com/web/en-US/apps/account/account.aspx?SID=2339635A0A614FA582CBA1B6810337D2&&SI=1
Server: Continental Airlines, Inc.
Content-Length: 226
Date: Sun, 04 May 2014 22:15:35 GMT
Connection: keep-alive
Set-Cookie: VanityURL=; domain=united.com; path=/
Set-Cookie: TLTSID=3B5BEC44430E6430D00DD799B0242B66; domain=united.com; path=/
Set-Cookie: TLTUID=3B5BEC44430E6430D00DD799B0242B66; domain=united.com; path=/
Set-Cookie: akaau=1399241903~id=52a65a3f3488ee168c12ba0839a4fbec;
domain=united.com; path=/
Set-Cookie: SID=2339635A0A614FA582CBA1B6810337D2; domain=united.com; path=/
Set-Cookie: dnn=false; domain=united.com; path=/
Set-Cookie:
cocom=si=False&RememberID=&UserName=&OPNumber=(username_goes_here)&PreSite=0;
domain=united.com; expires=Thu, 03-Jul-2014 05:00:00 GMT; path=/
Set-Cookie: 1stSID=2339635A0A614FA582CBA1B6810337D2; domain=united.com; path=/
Set-Cookie: ChaseICLastPage=/web/en-US/default.aspx?root=1; domain=united.com;
path=/
Set-Cookie: culture=LanguageDesc=English; domain=united.com; path=/
Set-Cookie: WB03=3aX4YIzPvAjgDJeFdBzCSlN_dxYCUpPK7K-YRmHlyjAmNVxhXIIyuCA;
domain=united.com; path=/
Set-Cookie:
AuthCookie=bdf609ff7d69f538236de7fa74d7a88afd88147a271d9c95a1fbe87bd5e4ef0f;
domain=united.com; path=/
Set-Cookie: akaau=1399242035~id=ee7af219384df41d5c315edb7c4bc2ca; path=/
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a
href="https://www.united.com/web/en-US/apps/account/account.aspx?SID=2339635A0A614FA582CBA1B6810337D2&&SI=1";>here</a>.</h2>
</body></html>
For Further information, Contact:
Michael Scheidell, CCISO, Security Privateers, (561) 948-1305 /
michael@xxxxxxxxxxxxxxxxxxxxxx
Almantas Kakareka, CCISP, Demyo, Inc, (201) 665 6666 / almaz@xxxxxxxxx
Original document can be found at http://privateers.in/d6
--
Michael Scheidell, CCISO, SMIEEE
Security Privateers<http://www.securityprivateers.com>
Direct: (561) 948-1305
Office: (561) 948-1289
Sales: (877) 948-1289
http://michael.scheidell.org
@scheidell<http://twitter.com/@scheidell>
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/