user_mobilelogo

Below are a collection of both old and new security or privacy incidents authored by our Privateers. We believe in Responsible Full Disclosure and generally follow the policy of the venerable RFP (Rain Forest Puppy), found herehere.   We believe that information security professionals should try to work with the vendor or agency in identifying and documenting any security or privacy incident found.   We also believe in working with both federal and state law enforcement agencies, where that applies.

/* Disclaimer:  Nothing in these reports are designed to identify any illegal or regulatory compliance issue.  Privateers do not hack into targets for fun, and do not hack into, run web app assessment software or perform penetration testing or vulnerability testing on any site or company without explicit permission and contracts from the responsible company */

 

United Airways® united.com Insecure Transmission of User Credentials

Systemswww.united.comwww.united.com
Severity: Critical
Category: Information Disclosure
Author: Michael Scheidell, CCISO – Managing Director, Security Privateers
Original Public Release Date: June 30th, 2014.

Notifications: April 29, 2014 (United Airlines, FBI InfraGard, Miami ECTF)
Notifications: April 31, 2014 (Miami ETCF Forwarded to USSS, DHS and Chicago ECTF)
Notifications: May 5th, 2014.  Update sent to MECTF and This email address is being protected from spambots. You need JavaScript enabled to view it.

Revision Date: July 11, 2014

Reason for Revision: Added information on date vulnerable from archive.org

Discussion: (From United.com’s web site, privacy policy privacy policy)

Privacy Policy

Your privacy is important to us

United Airlines is committed to protecting the privacy and personal data it receives from customers. We want you to know that when you use one of the United family Internet websites, and when you provide us with information offline, the privacy of your personally identifiable information will be respected and protected.

Vulnerability:  Confidential login information, including password is transmitted in plain text

This vulnerability has similar scope and threat as the HeartBleed bug.  Even though this exploit does not depend on the HeartBleed bug, it still has the potential to disclose confidential information that the user would reasonably assume to be sensitive or, in combination with their username, would be considered private, unpublished personal information.

The Home page of  www.united.comwww.united.com has a link to a ‘Sign in’ page in the upper right hand corner clicking on this link brings the user to another page, an html form that requests userlogin and password. Source code reveals that ‘Sign in (Secure)’ button links to http, not https page:

 

It has been reported that the ftpd server, included in the Embedded Real Time Operating System (ERTOS) of 3Com Superstack 3 NBX IP phones, contains a denial of service vulnerability. This issue can be triggered by sending a CEL paramater of excessive length, effectively causing the ftpd server and various VoIP services to no longer respond.