HackDig : Dig high-quality web security articles for hacker

Harvesting clients’ information from the utility company

2015-06-05 09:10

A security expert explained how it is possible to hack the service provided by a utility company raising serious security and privacy issues.

In the most recent post of atxsec.com the owner of the blog talks about a flaw that he discovered after trying to pay his utility bill.

To pay his utility bill he decided to use the web application of the utility company where the authentication is based on the client number. He did it, and once authenticated he should see his personal information (Address, Fisrt and Last name, Phone number), but his time he noticed something different:

“In my angry state of mind I tried to login as fast as I could, mashing the keys that consisted of my assigned account number as fast as possible so I can get the sting of another bill out of the way. Hitting the enter key displayed the usual page that I was used to, asking me to confirm my information, except something this time was very different. My name was not correct, it was someone else’s name that lives in the same state as me, and obviously uses the same utility company. Confirming my account number was correct I noticed that the last digit was the issue, it was exactly one digit above my account number. ” 

When facing this issue he realized that “Typically this indicates that the account numbers are based on incremental values (more than likely auto_increment).”

Since he didn’t want to end up like the case of “Weev and AT&T” he did the second best thing possible, created a lab using virtual machines and using projects available on Github, to prove his point that the utility company website could be exploited.

utility company hacking

“Upon hitting the ‘pay my bill’ button we are shown a page to confirm our account information, then proceed with adding payment methods at the next screen.” continues the post. ù

utility company hacking 2

“On this page we are confronted and instructed to confirm our personal information is correct, then proceed to elect a payment method. This is absolutely terrifying! A competitor could easily uncover this information and use it to poach customers of this company. Or someone could sell the information on the black market, all roads lead to nothing good.”

Going further in his investigation, he created a script to test the created website that simulates the company’s website:

utility company hacking 3

 

“We simply just need to specify an account number to start with, then the script will ask for a range. This alters the range of account numbers that we would like to test.”

utility company hacking 4

Resuming,  if we would use the same method on the company’s website the most likely thing to happen would be that an attacker would harvest the entire customer database using a script with a simple algorithm.

In my opinion the author of the blog acted in a very ethical way, not trying attack directly the website, but I hope that he has already informed the utility company. Someone could blame him in case of successful attack. As usual happen, the lack of security by design could cause serious problems to the end-users, how can you justify a company that implements such authentication mechanism?

Let’s hope the company will fix soon the issue by improving their authentication method.

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – utility company, hacking)

The post Harvesting clients’ information from the utility company appeared first on Security Affairs.


Source: lmth.bd-ynapmoc-ytilitu-gnikcah/gnikcah/35573/sserpdrow/oc.sriaffaytiruces

Read:3316 | Comments:0 | Tags:Breaking News Hacking Security

“Harvesting clients’ information from the utility company”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud