Another Coffee Pub WiFi Vulnerability

May1409May 14, 09

I received quite a few emails about the Peets WiFi Hack I detailed back in January of this year, and many of you seem to be interested in the many security issues facing free wireless internet providers. In keeping with this, the following is a quick analysis of the wireless authentication method used by a chain of coffee pubs in Canada. For the sake of sincerity, I am not going to identify the establishment - we all appreciate these free services and I want them to stay available.

The vulnerability in question is one that affects more than just wireless network scenarios, because it comes from the way this coffee pub has designed their HTML forms and corresponding server-side script. Many parts of the login process have been done correctly, including the use of HTTPS, but a single oversight causes the entire system to be weak to standard attack methods. First-time users are required to complete a simple registration before using their email address and chosen password to authenticate their computer based on its MAC address. To most users, this system would appear to be completely secure - they have entered a password, but their browser indicates that the form they are sending is encrypted. Unfortunately, the login form produces an HTTP GET request instead of the more appropriate POST request. Because of this, the user's email address and their password are sent in the clear and in plain-text format as well-described parameters in the query string. Any malicious user on the unencrypted network is able to see this request, and is able to see both the email address and password that have been submitted.

This is obviously a security flaw, but the context in which the flaw exists is not sensitive. The account information cannot be directly used to gain sensitive data about the user, so there is little at risk. But, as is the case with most vulnerabilities, one risk cannot be interpreted as an isolated entity. When I discovered that there was a compromise in this system (which I use nearly every day), I began to think about ways an attacker could potentially use this authentication data to their advantage - I was quickly met with a surprising situation. Consider the typical computer user, who employs only a few passwords for everything they do online. Now imagine being given both this persons email (their address) and their "usual" password (their key). Using a house as a metaphor, you can see how these two pieces of data are the only things an attacker needs to gain access to something potentially valuable. A simple example of this would be if the attacker were to test the collected password on the user's web-based email account. Very easily done, and very dangerous.

Have you had an experience with public wireless security? Perhaps next time you log in at your favorite coffee pub, you will take a moment to ensure your information is being handled with the proper care.

About Jason Miller:

I am a JavaScript developer from Waterloo, Ontario, Canada. When I am not typing green code onto a black screen, you might find me at the nearest coffee pub checking out the brew. I run a internet firm called developIT and maintain blogs and web apps when I can.
Leave a Comment

Post Comment