[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] United Airways® united.com Insecure Transmission of User Credentials
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] United Airways® united.com Insecure Transmission of User Credentials
- From: Joshua Smith <lazydj98@xxxxxxxxx>
- Date: Mon, 14 Jul 2014 11:03:03 -0500
"This vulnerability has similar scope and threat as the HeartBleed bug.” — umm,
no. This bug affects your creds at a single site. Please don’t over inflate.
-kernelsmith
Date: Sun, 13 Jul 2014 11:58:18 +0000
From: Michael Scheidell <michael@xxxxxxxxxxxxxxxxxxxxxx>
To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] United Airways(r) united.com Insecure Transmission of
User Credentials
Message-ID: <1405252689573.49421@xxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="Windows-1252"
United Airways(r) united.com Insecure Transmission of User Credentials
Revision Date: May 6th, 2014
Reason for Revision: Issue has been fixed by united.com
Systems: www.united.com
Severity: Critical
Category: Information Disclosure
Author: Michael Scheidell, CCISO ? Managing Director, Security Privateers
Original Public Release Date: June 30th, 2014.
Notifications: April 29, 2014 (United Airlines, FBI InfraGard, Miami ECTF)
Notifications: April 31, 2014 (Miami ETCF Forwarded to USSS, DHS and Chicago
ECTF)
Notifications: May 5th, 2014. Update sent to MECTF and United Airlines
Discussion: (From United.com?s web siteprivacy policy)
Privacy Policy
Your privacy is important to us
United Airlines is committed to protecting the privacy and personal data it
receives from customers. We want you to know that when you use one of the
United family Internet websites, and when you provide us with information
offline, the privacy of your personally identifiable information will be
respected and protected.
Vulnerability: Confidential login information, including password is
transmitted in plain text
This vulnerability has similar scope and threat as the HeartBleed bug. Even
though this exploit does not depend on the HeartBleed bug, it still has the
potential to disclose confidential information that the user would reasonably
assume to be sensitive or, in combination with their username, would be
considered private, unpublished personal information.
The Home page of www.united.com has a link to a ?Sign in? page in the upper
right hand corner clicking on this link brings the user to another page, an
html form that requests userlogin and password. Source code reveals that ?Sign
in (Secure)? button links to http, not https page:
<div><span id="ctl00_CustomerHeader_spanNotSignedIn"><a
id="ctl00_CustomerHeader_linkSignIn" href="apps/account/account.aspx">Sign
In</a> | </span><a id="ctl00_CustomerHeader_linkMyAccount"
href="apps/account/account.aspx">My Account</a> | <a accesskey="9"
href="content/Contact/default.aspx">Contact Us</a></div>
When you select ?Sign in?, you are presented with a screen at url:
http://www.united.com/web/en-US/apps/account/account.aspx and asked to log in.
The request is for MileagePlus Number or Username:
PIN or Password:
And the ?submit? button is labeled ?Sign In (Secure)?.
First thing to note is that this is an http (plain text, unencrypted) webpage,
second thing to note is that the submit button calls a standard ?POST? which
when the user presses the ?Sign In (Secure)? button, the information is
transmitted from the user?s computer across the internet in plain text.
<body id="ctl00_bodyMain" onunload="PurchaseAbandon();">
<form name="aspnetForm" method="post" action="signin.aspx"
onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/