Bugtraq mailing list archives
Re: USPS Online Bill Pay - Cleartext Password Leakage
From: KF <dotslash () snosoft com>
Date: Sun, 20 Jan 2002 10:53:37 -0500
I just wanted to let the readers of this list know that this issue is not necessarily in Checkfree code... this issue could be due to an interface coded by USPS to a Checkfree product. I also wanted to note that Checkfree was not notified by Matthew Dent about this issue as you can see from the dialog below. I only mention this because Matthew made note that he got NO vendor response. In closing the way Matthew worded his advisory "Other Checkfree portals" may also be vulnerable, may not be a correct statement as you can see that Matthew himself assumes the interface or portal was coded by USPS
themselves. *My views and opinions do not necessarily reflect the views of my company* -KF Matthew Dent wrote:
I did not notify anybody at Checkfree directly. Based on the URL's involved and other information, I assumed that USPS probably coded it themselves (more likelyhired it coded by someone else).I notified USPS through their online "message" feature using the "unexpected system operation" (or something like that) tag. I only mentioned Checkfree's name because I know that USPS uses them (you) on the back-end. Matt D. --- KF <dotslash () snosoft com> wrote:I happen to work for Checkfree... whom did younotify at our Organisation if anybody and did you notify? I am notsure if we coded it or if They did... -KF Matthew Dent wrote:AFFECTED: Users of USPS Online BillPay Service. It isunknownwhether other checkfree portals are vulnerable tothesame problem. OVERVIEW: Failed username/password results in plain-textreturnof submted password. If the USERNAME was the incorrectly typed piece, this will result in a plain-text version of the user's password to be retrievable using the 'VIEW SOURCE' browseroption.DESCRIPTION: The USPS Online BillPay service utilizes a username/password combination for access to their service. Users enter their username/password to gain accesstotheir account. If a user mistypes the username or password, a pre-filled out form is returned to the user which INCLUDES the password that was entered on attempt. IMPACT: If the user mistyped the username but correctlytypesthe password, the plain-text password is returnedtothe browser and is viewable by using the backbuttonand the "view source" option of the browser. SOLUTION: END-USER The only known workaround is to configure thebrowserto not cache pages at all. This will prevent the ability to use the "back" button, however, if the returned page is on the screen, using "viewsource"may still display the information. VENDOR Re-code the application to not return the passwordinthe "login-failed" form that is displayed. This should be a relatively easy solution. VENDOR NOTIFICATION USPS BillPay was first notified 1/1/2002 and givena"respond by" deadline of 1/17/2002. Thisnotificationoccured from within their online customer care interface. Complete and accurate contactinformationwas included. When no response was obtained, a secondnotificationwas sent on 1/16/2002 with an extension until00:001/19/2002 -- at which time this information wouldbeposted to BUGTRAQ. The original message(includingcomplete contact information) was included. VENDOR RESPONSE: None to date. Matthew Dent dentm () yahoo com __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/__________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
Current thread:
- USPS Online Bill Pay - Cleartext Password Leakage Matthew Dent (Jan 19)
- <Possible follow-ups>
- Re: USPS Online Bill Pay - Cleartext Password Leakage KF (Jan 22)