Bugtraq mailing list archives

Re: USPS Online Bill Pay - Cleartext Password Leakage

From: KF <dotslash () snosoft com>
Date: Sun, 20 Jan 2002 10:53:37 -0500

I just wanted to let the readers of this list know that this issue isnot necessarily in Checkfree code...this issue could be due to an interface coded by USPS to a Checkfreeproduct. I also wanted to notethat Checkfree was not notified by Matthew Dent about this issue as youcan see from the dialog below.I only mention this because Matthew made note that he got NO vendorresponse. In closing the wayMatthew worded his advisory "Other Checkfree portals" may also bevulnerable, may not be a correctstatement as you can see that Matthew himself assumes the interface orportal was coded by USPS

themselves.

*My views and opinions do not necessarily reflect the views of my company*
-KF


Matthew Dent wrote:

I did not notify anybody at Checkfree directly.  Based
on the URL's involved and other information, I assumed
that USPS probably coded it themselves (more likely

hired it coded by someone else).

I notified USPS through their online "message" feature
using the "unexpected system operation" (or something
like that) tag.  I only mentioned Checkfree's name
because I know that USPS uses them (you) on the
back-end.

Matt D.

--- KF <dotslash () snosoft com> wrote:

I happen to work for Checkfree... whom did you

notify at ourOrganisation if anybody and did you notify? I am not

sure if we
coded it or if They did...
-KF

Matthew Dent wrote:

AFFECTED:

Users of USPS Online BillPay Service.  It is


unknown

whether other checkfree portals are vulnerable to

the

same problem.

OVERVIEW:

Failed username/password results in plain-text


return

of submted password.  If the USERNAME was the
incorrectly typed piece, this will result in a
plain-text version of the user's password to be
retrievable using the 'VIEW SOURCE' browser


option.

DESCRIPTION:

The USPS Online BillPay service utilizes a
username/password combination for access to their
service.

Users enter their username/password to gain access

to

their account.

If a user mistypes the username or password, a
pre-filled out form is returned to the user which
INCLUDES the password that was entered on attempt.


IMPACT:

If the user mistyped the username but correctly


types

the password, the plain-text password is returned

to

the browser and is viewable by using the back


button

and the "view source" option of the browser.


SOLUTION:

   END-USER

The only known workaround is to configure the


browser

to not cache pages at all.  This will prevent the
ability to use the "back" button, however, if the
returned page is on the screen, using "view


source"

may still display the information.

   VENDOR

Re-code the application to not return the password

in

the "login-failed" form that is displayed.  This
should be a relatively easy solution.



VENDOR NOTIFICATION

USPS BillPay was first notified 1/1/2002 and given

"respond by" deadline of 1/17/2002.  This


notification

occured from within their online customer care
interface.  Complete and accurate contact


information

was included.

When no response was obtained, a second


notification

was sent on 1/16/2002 with an extension until


00:00

1/19/2002 -- at which time this information would

be

posted to BUGTRAQ.  The original message


(including

complete contact information) was included.


VENDOR RESPONSE:

None to date.


Matthew Dent
dentm () yahoo com

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/



__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

Current thread:

USPS Online Bill Pay - Cleartext Password Leakage Matthew Dent (Jan 19)
- <Possible follow-ups>
- Re: USPS Online Bill Pay - Cleartext Password Leakage KF (Jan 22)