In the most recent post of atxsec.com the owner of the blog talks about a flaw that he discovered after trying to pay his utility bill.
To pay his utility bill he decided to use the web application of the utility company where the authentication is based on the client number. He did it, and once authenticated he should see his personal information (Address, Fisrt and Last name, Phone number), but his time he noticed something different:
“In my angry state of mind I tried to login as fast as I could, mashing the keys that consisted of my assigned account number as fast as possible so I can get the sting of another bill out of the way. Hitting the enter key displayed the usual page that I was used to, asking me to confirm my information, except something this time was very different. My name was not correct, it was someone else’s name that lives in the same state as me, and obviously uses the same utility company. Confirming my account number was correct I noticed that the last digit was the issue, it was exactly one digit above my account number. ”
When facing this issue he realized that “Typically this indicates that the account numbers are based on incremental values (more than likely auto_increment).”
Since he didn’t want to end up like the case of “Weev and AT&T” he did the second best thing possible, created a lab using virtual machines and using projects available on Github, to prove his point that the utility company website could be exploited.
“Upon hitting the ‘pay my bill’ button we are shown a page to confirm our account information, then proceed with adding payment methods at the next screen.” continues the post. ù
“On this page we are confronted and instructed to confirm our personal information is correct, then proceed to elect a payment method. This is absolutely terrifying! A competitor could easily uncover this information and use it to poach customers of this company. Or someone could sell the information on the black market, all roads lead to nothing good.”
Going further in his investigation, he created a script to test the created website that simulates the company’s website:
“We simply just need to specify an account number to start with, then the script will ask for a range. This alters the range of account numbers that we would like to test.”
Resuming, if we would use the same method on the company’s website the most likely thing to happen would be that an attacker would harvest the entire customer database using a script with a simple algorithm.
In my opinion the author of the blog acted in a very ethical way, not trying attack directly the website, but I hope that he has already informed the utility company. Someone could blame him in case of successful attack. As usual happen, the lack of security by design could cause serious problems to the end-users, how can you justify a company that implements such authentication mechanism?
Let’s hope the company will fix soon the issue by improving their authentication method.
About the Author Elsio Pinto
(Security Affairs – utility company, hacking)