August 16, 2015 at 17:14Megaphone - anyone can manage your account
I recently discovered that if you go to the page https://szfsg.megafon.ru/ps/scc/mobile/ from your mobile device via Megafon’s mobile Internet, you can access the “Megafon Service-Guide North-West” without a password (for other regions, there may be a similar link).
Megafon “knows” that it is you who are now accessing the site and giving such an opportunity.
To prohibit this feature in the same Service Guide there is a setting "Manage automatic login", but it does not work. Those. she is in a prohibited position, but in fact entry is allowed.
As a result, you never touched this check mark, made sure that it is in the “prohibited” position, but such an entry was allowed.
What security issues can this cause?
1. If you distribute the Internet to other users, they all have access to manage your personal account.
2. All software that runs on all (your) devices to which you distributed the Internet has the same access. Here you can argue that there is nothing, they say, to run obscure (trojan) software, however, one of the main ways to protect against malware is to distinguish privileges. Here we see that any software with zero privileges in the system has access to your personal account.
3. Questions of any XSS vulnerabilities - not studied.
Yes, and Megaphone himself, it seems, understands the danger. In the new version of "
My Account " (where there is no such vulnerability), a warning hangs: Two weeks ago I reported this problem to the support, but the following came in response to me:
Considering that the password of 120 characters (as recommended here ) is not very convenient to dictate by phone, and that the password, in general, is not needed here, I made a new appeal with a request to understand without a password. However, they answered me with a standard reply.
A post on the Internet was also found , indicating that this problem has long existed, or regression.
It's time to write in Habr, I thought.
Maybe one of me has such a problem? Asked a question on Toaster - one person responded and confirmed the problem.
UPD : Megaphone fixed the problemwith passwordless entry. I checked it on my phone - indeed, the checkmark remained in the “ban” mode and the ban really works, login without a password is not possible. Beaver always wins!
Megafon “knows” that it is you who are now accessing the site and giving such an opportunity.
To prohibit this feature in the same Service Guide there is a setting "Manage automatic login", but it does not work. Those. she is in a prohibited position, but in fact entry is allowed.
As a result, you never touched this check mark, made sure that it is in the “prohibited” position, but such an entry was allowed.
What security issues can this cause?
1. If you distribute the Internet to other users, they all have access to manage your personal account.
2. All software that runs on all (your) devices to which you distributed the Internet has the same access. Here you can argue that there is nothing, they say, to run obscure (trojan) software, however, one of the main ways to protect against malware is to distinguish privileges. Here we see that any software with zero privileges in the system has access to your personal account.
3. Questions of any XSS vulnerabilities - not studied.
Yes, and Megaphone himself, it seems, understands the danger. In the new version of "
My Account " (where there is no such vulnerability), a warning hangs: Two weeks ago I reported this problem to the support, but the following came in response to me:
Considering that the password of 120 characters (as recommended here ) is not very convenient to dictate by phone, and that the password, in general, is not needed here, I made a new appeal with a request to understand without a password. However, they answered me with a standard reply.
A post on the Internet was also found , indicating that this problem has long existed, or regression.
It's time to write in Habr, I thought.
Maybe one of me has such a problem? Asked a question on Toaster - one person responded and confirmed the problem.
UPD : Megaphone fixed the problemwith passwordless entry. I checked it on my phone - indeed, the checkmark remained in the “ban” mode and the ban really works, login without a password is not possible. Beaver always wins!