dslreports logo
Major Frontier Password Bug Exposed ISP Users' Data

A major bug in Frontier's website has exposed the private data of millions of the company's subscribers. The vulnerability, first discovered by security researcher Ryan Stevenson, allows an intruder to take over an account with just a username or email address. The vulnerability was specifically thanks to a flawed implementation of two-factor authentication during the password recent process. Normally, two-factor authentication texts or e-mails users with a one-time use code helping confirm a user is who they say they are.

Click for full size
But Frontier's system repeatedly belched forth codes, letting a determined attacker eventually ferret out a user's password with a little elbow grease.

ZDNet, which first discovered the vulnerability, notes that Stevenson was able to automate the process to generate around 100 codes in 10 seconds. A tool then allowed the researcher to eventually determine which code would allow the password reset process to proceed:
quote:
Using Burp Suite, a network intercept tool widely used by security researchers, and a test account he created, Stevenson automated the sending of hundreds of six-digit access code iterations to the browser, one after the other. In the demonstration, he showed that a correct code returned a bigger server response than the incorrect codes.
"Out of an abundance of caution while the matter is being investigated, Frontier has shut down the functionality of changing a customer's password via the web," the company said in a statement on the vulnerability.

Most recommended from 13 comments



camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

16 recommendations

camper

Premium Member

Corporations have fiduciary responsibility to shareholders...

Until security breeches start affecting that fiduciary responsibility in a negative way, the corporations will always treat security as a secondary or tertiary priority.

Stated differently, unless and until the security of customer data becomes a significant part of corporate responsibility, the corporations will not spend enough money to assure proper security.

It has to be more expensive to ignore customer data security than it is to assure it.

If a corporation exposes customer data to hackers through its own neglect, then the fine should be on the order of $1000 for each customer affected.

Then the corporations may start paying attention.

 
Tchaika
join:2017-03-20
New Orleans, LA

6 recommendations

Tchaika

Member

Topical, Again....

Click for full size

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

6 recommendations

maartena

Premium Member

Social Security Number.....

Americans do not want a national ID card. Every time it is even slightly brought up by a senator as in "maybe we should do this...." - the public rebels against the idea, because the government knowing who you are is something that treads on their personal privacy.

As such the USA is one of the few western countries that does not have a national identification card or a national identification law that requires citizens to prove who you are. Sure, the STATES have ID cards and driver licenses, but you are not forced to get one. It's handy if you want to drive, but you do not HAVE to get an ID card if you don't.

Unfortunately however.... while the public rebels against such an atrocious idea, commercial entities and banks did need some way of making sure who you are, and look!!.... the government is actually giving each individual a unique number that we companies can totally abuse. In come the Social Security Number, which has absolutely NO security features.... you can just subtract 1 from your own SSN, and you will likely have a person that was born on the same day as you (so you have a birth date too), and in the same state as the first three digits match up with a state, and can be looked up online..... even if you only have the last 4 digits, you can easily figure out the first 6 numbers by having the birth date of a person and the state they were born in, which in many cases is the state they currently live... so it pretty much FAILS as a method as secure identification, yet it is used by EVERYONE as a substitute, because there is no national identification of any kind.

And this is why these kinds of data breaches are inherently more dangerous in the United States, because a whole fuckload of companies have these basic identifiers on file:

1) last four digits of SSN.
2) birth date.
3) state from where they hail.

And the above is ALL YOU NEED to create a valid SSN, assuming they live in the state they were born or immigrated too, and even if they don't..... the state where someone is born is pretty easy to figure out in most cases. Boom, identity stolen.

In a nutshell, because of our independent, American spirit who doesn't really want a "national identification card" of any kind, we are now fucked into using SSN's as secondary identification to do credit checks and to make sure you are you. And until we actually create a secure way of identifying people, not a number system that was created in 1936 and has absolutely no self-checking or security built in..... we will be facing identity theft, and these online breaches only make things worse.

A funny but rather true video to watch:

»www.youtube.com/watch?v= ··· 8IAUouus

spewak
R.I.P Dadkins
Premium Member
join:2001-08-07
Elk Grove, CA

3 recommendations

spewak

Premium Member

The bad guys got me

They got my password straight away: frontiersucksdonkeydix

I am mystified how they guessed it so quickly!

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

3 recommendations

maartena

Premium Member

poor Frontier....

They already screwed over their California/Oregon/Washington customers when they took over Verizon, are known to have the poorest customer service among any providers, sometimes leaving some people without internet for up to a month... They have had major financial problems, left their DSL customers to rot, their stock took a major dive and has never recovered after mismanagement of the company, and now.... they leaked most of their subscriber's data

Considering the enormous heap of dung they already are, and the even bigger heap of dung they still have to deal with..... you'd almost feel sorry for them.

.....almost.
Roadkill
Premium Member
join:2008-06-17
united state

3 recommendations

Roadkill

Premium Member

Oh my gosh!

Ughhh just another company completely screwing up and losing control of their customer's data. Simple secure methods of doing business is clearly beyond the comprehension of people in charge of handling consumer data.