Date: Sat, 25 Aug 2001 06:12:44 -0700
From: Eddie Chandler <eddiec@arch.sel.sony.com>
To: bugtraq@securityfocus.com
Subject: Security certificate negation by content provider
1) problem description:
Content provider realnames.com removes security certificate
after padding with its advertising.
After using the search engine, Metacrawler, one of the resultant
links was through realnames.com. Clicking the link and following
through to the "secure order" page resulted in no security certificate
being given. Verification of the existance of a security certificate
was proved by going directly to the vendor site.
URL given by Metacrawler search:
http://navigation.helper.realnames.com/framer/1/0/default.asp?realname=AutoT
ech+Troubleshooting+Software&url=http%3A%2F%2Fwww%2Eautotechsoftware%2Ecom&f
rameid=1&providerid=0&uid=17414734
Vendor URL: www.autotechsoftware.com
Process taken:
--------------
With IE5.01 SP2,
a) use realnames.com content-filled url and verify existance
of a security certificate and, if so, the level of encryption.
b) use autotechsoftware.com and verify existance of security
certificate and, if so, the level of encryption.
Results:
--------
a) Using the realnames url, the secure order page is not secure,
no certificate is given, no "lock symbol" shown on the page.
b) Using autotech.com, the secure site is accessed, a certificate
is given, 128-bit encryption.
Machine used:
-------------
Microsoft Internet Explorer 5.01 SP2 on an NT4.0 SP6a workstation.
Notes:
------
The first time this was tried, Cookies were set to DISABLED.
The second time, Cookies were set to PROMPT.
(No messages were displayed regarding storing cookies on the local pc)
Second test:
------------
This was to see if the problem was reproducable on a different
OS/browser. Second machine was a 98SE system with IE5.5 on
a different network, cookies enabled. Result - same as above.
Conclusion/Risk:
----------------
>From the above, it looks like realnames is,
exposing customers information including
credit card #, as well as being able to record
that information themselves which could be mis-used.
Notification to vendor/content-provider:
----------------------------------------
Both realnames and the vendor were notified by e-mail
on Monday 20th, a generic "thank you, we will get to this"
reply was returned by realnames, the vendor saying
that he would "look into it".
Content-providing/this kind of issue is not my
field and I have not been able to progress this
in respect to seeing whether this is a mis-configuration
on realnames part, or something common to all
content providers, hence posting to this community
in the hope that it is escalated/vendors check
their systems.
regards,
Eddie Chandler
TAOS Consultant
NT4 MCSE, Win2k Pro MCP
www.taos.com
