Dear Edward,
On Wed, 10 Sep 2003, Edward Gray wrote: > Date: Wed, 10 Sep 2003 09:15:29 -0400 > From: Edward Gray <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: OpenSRS Security Hole? > > Hi, would you be able to provide more details about this > security hole that you've encountered please? ask on the discuss list - I searched the archives and there is many people that knew about the hole before I posted to the list. I hear that OpenSRS introduced the hole as much as a month ago when you put a feature into the RWI interface that sends to resellers their password - but OpenSRS made no reasonable efforts to hide the password from third parties (any reseller-supplied authentication crypto token would be a reasonable effort - PGP public key is the most wide spread). Any third party able to observe traffic anywhere on the email delivery route from OpenSRS to any of the current MX-record purported reseller's SMTP servers has the ability to gain full access to the reseller's account at OpenSRS. > From initial glance, it sounds like you have "sniffed" the > contents of the email sent to a reseller with the username > & password. I have not done it. I just wrote of somebody else doing it. > Would you be able to tell me the following please? > > 1. What program did you use (which monitors network traffic) > 2. When you clicked on the link, to send the login information, were you > intended recipient of the email? Don't let me read too much into this, but it seem that you are more interested in whether you have something against a customer rather than where the whole is and how to fix it. If that was the case, I would have to disappoint you - when I learned that I might be witnessing such an event, I've made sure that all legal particulars of such an event were covered, and that no laws or agreements got violated during this event. Now that you have recognized this as "OpenSRS Security hole", please demonstrate OpenSRS's commitment to keeping customers' confidential information from any third parties. (By storing and encrypting it with customers' own crypto keys.) > For us to properly address this potential hole, we need to be able to > re-generate the events you detailed below. I would appreciate any help you > can provide. Look through the RWI code - that's where the hole(s) are: 1. Customer passwords are stored in a form which allows to extraction back into plaintext, 2. the second hole is that the RWI currently doesn't allow for encryption of the email(s) being sent out. Not even the one that contains confidential information. > Sincerely, > > Edward Gray > Director, Operations & Networks > Tucows.com Co. > [EMAIL PROTECTED] > > >-------- Original Message -------- Subject: OpenSRS sends out customer > passwords in plaintext ! > >Date: Mon, 8 Sep 2003 20:15:25 -0400 (EDT) > >From: [EMAIL PROTECTED] > >To: [EMAIL PROTECTED] > > > > > > > > Hi guys, > > > > OpenSRS leaks customer passwords in plaintext ! > > > > I was there - these guys started a program which monitors > >network traffic and used another computer to bring up the > >reseller page. They clicked on the link for sending the > >login information, typed in the other company's name and in > >seconds the network monitoring program showed the reseller > >password for that company !! They went in and were able to > >see *ALL THEIR RECORDS*, *ALL THEIR CUSTOMERS AND CUSTOMER > >RECORDS*! > > > > I was really stumped when they showed me that *THEY CAN NOW > >CHANGE THIS COMPANY'S CUSTOMER RECORDS - EVEN "UNLOCK" THEIR > >DOMAINS* like for transfers away from them, etc !!! > > > > I don't know how long this has been. > > > > I asked how did they manage to decrypt that information, > >and they said they didn't !! They said that OpenSRS just > >doesn't care - they don't even use PGP, they just send > >passwords in plaintext. > > > > OpenSRS, I think you want to fix this faaaaaaaast !!! Mark.
