Bitdefender Internet Security -

[jerold () v00d00sec com]

There seems to be some security issues with the way Bitdefender Internet Security 2015 software (Build 18.20.0.1429) 
interacts with its myBitdefender online portal.

Issues:

1) Possible partial information disclosure privacy issue of users' myBitdefender account credentials when using the 
SAFEGO functionality for Facebook.
2) Bruteforce of passwords for myBitdefender accounts are possible using the method below.
 
ISSUE 1

To illustrate issue 1, I have created a spare account on myBitdefender at https://my.bitdefender.com with the following 
credentials:

Login ID: jerold.usa () gmail com
Password: password1

Upon clicking on the SAFEGO "Reports for Facebook" link from Bitdefender's user interface under the "Tools" tab, a web 
URL link will be open:

https://my.bitdefender.com/en_US/my/#page=safego.facebook_index&?login=jerold.usa () gmail 
com&passmd5=7c6a180b36896a0a8c02787eeafb0e4c&lang=en_us

Note the HTTP parameter passmd5 which contains the value "7c6a180b36896a0a8c02787eeafb0e4c". It is a simple trivial 
hashing of the plaintext password "password1" using the MD5 algorithm which "broken" in some sense. 

A malicious attacker that has gotten hold of the hash can do a simple reverse lookup using the many available MD5 hash 
databases online.

Imy simple test I used http://www.md5online.org/with the hash "7c6a180b36896a0a8c02787eeafb0e4c" and was given the 
plaintext password of value "password1".

ISSUE 2:

Another point of concern is the HTTP response that was received when the HTTP GET request with valid credentials below 
was sent:

GET /lv2/account?login=jerold.usa%40gmail.com&passmd5=7c6a180b36896a0a8c02787eeafb0e4c&type=userpass HTTP/1.1
Host: my.bitdefender.com
Connection: keep-alive
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
Referer: https://my.bitdefender.com/login
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: com.bitdefender.mybd.lang=%7B%22lang%22%3A%7B%22name%22%3A%22en_us%22%7D%2C%22expire%22%3Anull%7D; 
_ga=GA1.3.1523623201.1421739258; _gat=1

The HTTP response was a JSON response from the server:

{
  "token": "Wa6QqAuiUlrKRYcvnZZIEGI00TM", 
  "passmd5": "7c6a180b36896a0a8c02787eeafb0e4c", 
  "country_id": "192", 
  "login": "jerold.usa () gmail com", 
  "preferences": "{\"lang\": \"en_us\"}"
}

Notice that the passmd5 parameter is passed back in clear. Also, it is noted that even after multiple logouts, the 
token value returned is still the same.

Passing a HTTP GET request below with invalid credentials has the following behavior:

GET /lv2/account?login=jerold.usa%40gmail.com&passmd5=7c6a180b36896a0a8c02787eeafb0e4d&type=userpass HTTP/1.1
Host: my.bitdefender.com
Connection: keep-alive
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
Referer: https://my.bitdefender.com/login
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: com.bitdefender.mybd.lang=%7B%22lang%22%3A%7B%22name%22%3A%22en_us%22%7D%2C%22expire%22%3Anull%7D; _gat=1; 
_ga=GA1.3.1523623201.1421739258; com.bitdefender.mybd=%7B%22user%22%3A%22jerold.usa () gmail 
com%22%2C%22token%22%3A%22Wa6QqAuiUlrKRYcvnZZIEGI00TM%22%2C%22country_id%22%3A%22192%22%2C%22lang%22%3A%7B%22name%22%3A%22en_us%22%7D%2C%22expiry%22%3A1421742342979%2C%22remember%22%3Afalse%7D

The HTTP response was a JSON response from the server:

{
  "captcha": "false", 
  "error": "wrong_login"
}

Notice that the server responded with wrong login, indicating that the login failed. There is no form of captcha that 
tracks the number of failed logins before locking the account for a said period of time, which is ideal for a 
bruteforce attack.

Bruteforce attack scenario:

1. Obtain a dictionary wordlist of md5 hashes which is easily available online. A quick Google shows that some 
wordlists have more than 376,484,923,572 hashes.
2. Obtain the target's email address.
3. Code a script to send the GET request as below, substituting the login and passmd5 HTTP parameters with the target's 
email address and hashes from the wordlist. Alternatively, BurpSuite's intruder would be perfect for this case. Load 
the wordlist and use sniper-mode to start the bruteforce.
4. Observe the HTTP response. if a response similar to the one below is found, the account has been compromised, 
allowing the attacker access to all Bitdefender online functionalities.

{
  "token": "Wa6QqAuiUlrKRYcvnZZIEGI00TM", 
  "passmd5": "7c6a180b36896a0a8c02787eeafb0e4c", 
  "country_id": "192", 
  "login": "jerold.usa () gmail com", 
  "preferences": "{\"lang\": \"en_us\"}"
}

Seeing how Bitdefender popularity has grown in recent years, I would expect a "more secure" approach to handling such 
data...

Regards,
Jerold