O2 web site security

Your account details may not be safe

Contents:

Latest News

The flaw was confirmed to be still present up until 08:49, 18th July 2002 BST.
It appears that it was fixed some time later that day. So this has taken nearly four days to fix since the discovery. We are not so sure that the problem has been dealt with in the most sensible or speedy manner. There are still issues that need resolving. In the meantime, those users who have had their account details stolen probably have no idea...

Claims that it had been fixed by IRM on The Register were premature. Please carry on reading this page for a chronological description of what happened.

Round One (14th July)

Here we describe the initial accidental discovery.

Discovery and Dissemination

The aim of this document was (and perhaps still is) to make users aware of a serious security issue regarding the viewing of their O2 account and billing details over the internet at www.o2.co.uk. O2 was formerly known as Genie.

Risks

Demonstration of risks

image1
Email

Users recieve an email like this each month telling them that they can visit http://www.o2.co.uk/shop to access their account. Users may do this at any time.

image2
Shop home page

When the user visits the URL mentioned in the email, they end up at this page. Clicking on the "View My Bill" link takes them to a login page which is accessed using a secure protocol (HTTPS).

image3
"View My Bill"

This is the login page to view your bill. You are supposed to enter your user name and password here. Note that the web browser has the padlock icon near the bottom right, indicating that this is a secure page. So it must be safe to send this information, right...?

image4
Logged in

Oh no! It looks like it wasn't safe to send your user name and password. This is the page you end up on after you have logged in. Note that the padlock has now gone. This page was accessed using a non-secure protocol. More importantly, your user name and password were sent as plain text over the internet, possibly without you even realising! This means that anyone between your computer and the O2 web server could have seen this information without needing to decrypt anything. They could then log in to your O2 account with this information. We believe that the user can be mislead into thinking that this process is secure, due to the padlock on the previous page. We also believe this is a serious oversight by the designers of the O2 web site.

image5
Plain text password transmission :-/

Just to confirm what has happened, here is a dump of the HTTP request over TCP port 80. The POST request has sent your user name and password as plain text. Even users on your own network may be able to see this information.

image6
Security Code

As an extra security feature (!) you are required to enter a 4-digit PIN number when viewing your name, address, etc. This is actually done over HTTPS and can therefore not be snooped by other users. But let's face it, it's not going to take long to take a bruteforce attempt at all 10000 combinations (compared with guessing the user's password which is longer and may contain many other characters). Once the correct 4-digit number has been found, an attacker not only has access to, but may also change your name, email address, postal address, telephone number and bank account details. That's probably not a good thing.

Dodgy Security Statement

On the O2 web site (as at 14th July 2002), their Security Statement makes interesting reading: -

We think it is ironic that they say "Please ensure that you keep your password secure at all times." when it is in fact O2 itself that makes the transmission of your password vulnerable to interception by sending it as plain text rather than anything vaguely secure.

They also claim "The Shop section of our site is secure and fully tested ....". Hmm, I think we know that's not true now.

While this statement is partly true, "This means that the information passed between your computer and our web site cannot be read even in the event of it being intercepted by someone else.", this only applies when HTTPS is actually being used. As we have demonstrated, HTTPS was not used when your user name and password were transmitted (although the user may be led to think that it is...). So it is possible for somebody to intercept your user name and password and then subsequently gain access to your O2 account.

Round Two (16th July)

O2 'fix' the problem?

This web page itself featured on The Register on 15/07/2002 at 18:35 GMT at http://www.theregister.co.uk/content/55/26200.html. unfortunately, they seem to think I am some 'hax0r' dude with a nickname of "Jibble". Neither are true.

It's a nice article, but it is said that Neil Barrett, Technical Director of IRM (Information Risk Management), has gone over the site with a fine-tooth comb and he reckons the flaw has been fixed.

Unfortunately, he was wrong. The flaw was still present (when we tested it at 12:23 BST and 19:29 BST on 16th July 2002). At a quick glance, the site did look reasonably safe, but deeper analysis revealed that it was still submitting user names and passwords as plain text. We again confirmed this by examining the raw TCP stream. Whoops, looks like somebody made a mistake!

IRM also said "The story told on the Jibble page looks kosher..." Well, cheers, it is true after all :)

"A spokeswoman for O2 said that it took security seriously and expressed surprise at the lapse. Technical staff at O2 are looking into the issue to find out what happened and when, she added." - Perhaps they should fix the problem before they try to work out what went wrong! :) Or perhaps they should let me work for them...

As an O2 customer, I am a bit worried that they made this mistake in the first place. I am also worried that they hadn't fixed it by now. Perhaps I would have let O2 know about it directly if I could find any email addresses on their web site (it's not the best web site in the world). I have not received any form of communication from O2 regarding this matter. I would like to invite them to do so, as I am interested to see why they are still allowing their users to login with a woefully insecure system (or at least a system that is nowhere near as secure as they claim it to be).

What O2 should do (17th July)

We are surprised that O2 appears to have taken no action to remedy this serious security problem yet. Here is the bare minimum that O2 should do (but haven't yet):-

Why you should worry

When you read through the O2 Terms And Conditions at http://www.o2.co.uk/terms.html, there are a couple of interesting points, such as:-

The first point is a bit worrying, as it is infeasible to ensure that your password is kept confidential and not disclosed to unauthorised persons because the flawed design of the O2 web site causes them to be sent as plain text over the internet.

The second point is equally worrying, as it is effectively saying that you are responsible for anything that happens through your account. So if an attacker exploits the flaws in the O2 web site (not difficult) and manages to log into your account, then you will be held responsible for anything that they do. In that respect, it seems as if O2 are not doing enough to protect its own customers.

O2 semi fix the problem

Some time (in the afternoon, possibly) on 18th July 2002, O2 eventually fixed their security problem. Password information is now dealt with correctly via the HTTPS protocol. This had taken 4 days to fix since our discovery.

So, problem solved? Not really. We think that O2 should advise their customers to now change their passwords immediately. Making things secure now is not going to stop unauthorised account access if some nasty person has already stolen your login details! (and it's possible the flaw had been present long before our discovery...) So the following section details some of our recommendations that O2 remain to carry out: -

What O2 should still do (18th July)

We believe that O2 should still carry out the following actions:-

Document History

This document was created on 14th July 2002 and is believed to be the first such report. We have not recieved any news from O2 regarding this matter, despite this page having been visited thousands of times.

We have received lots of emails about this page, most of which express bad vibes towards O2 due to poor customer support and lack of web site availability. Some of the emails were even job offers from rival companies to O2. Still no word from O2, though.

Interestingly enough, I received a phone call from O2 a week later (about something completely unrelated to this page) and the employee didn't even seem to know about this security problem!

The author of this page may be contacted via email at the address below.

 

Search this site

 

Copyright Paul Mutton 2001-2013
http://www.jibble.org/
Feedback welcomed
email

~
Dreamhost
Web Hosting

~
Dreamhost
Web Hosting