Megaphone - anyone can manage your account
I recently found out that if you go to https://szfsg.megafon.ru/ps/scc/mobile/ from a mobile device via MegaFon’s mobile Internet, you can get into Megafon Service-Guide North-West without a password (for other regions may have a similar link).
“Megaphone” “knows” that it is you who are now accessing the site and giving such an opportunity.
To prohibit this feature in the same Service Guide, there is a setting “Manage automatic login”, but it does not work. Those. she is in the position is prohibited, but in fact the input is allowed.
')
As a result, you never touched this check mark, you were convinced that it was in the “forbidden” position, but such an entry turned out to be allowed.
What security problems can this cause?
1. If you distribute the Internet to other users, they all have access to manage your personal account.
2. The same access has all the software that is running on all (your) devices to which you distributed the Internet. Here you can argue that there is nothing, they say, to run incomprehensible (Trojan) software, however, one of the main ways to protect against malicious software is the distinction of privileges. Here we see that any software with zero privileges in the system has access to your personal account.
3. Issues of any XSS vulnerabilities - not studied.
Yes, Megafon itself seems to understand the danger. In the new version of the "Personal Cabinet" (where there is no such vulnerability), a warning hangs:
Two weeks ago I reported this problem to support, but in response I received the following:
Considering that the password of 120 characters (as recommended here ) is not very convenient to dictate over the phone, and that the password, in general, is not needed here, I made a new request with a request to understand without a password. However, I was answered with a standard reply.
It was also found a post on the Internet, indicating that this problem has long existed, or regression.
It's time to write on Habr, I thought.
Maybe this is the problem for me alone? I asked a question on the Toaster - one person responded and confirmed the problem.
UPD : Megaphone fixed the problem with password-free entry. I checked it on my phone - indeed, the check mark remained in the "ban" mode and the ban really works, entering without a password is not possible. Bobro always wins!
“Megaphone” “knows” that it is you who are now accessing the site and giving such an opportunity.
To prohibit this feature in the same Service Guide, there is a setting “Manage automatic login”, but it does not work. Those. she is in the position is prohibited, but in fact the input is allowed.
')
As a result, you never touched this check mark, you were convinced that it was in the “forbidden” position, but such an entry turned out to be allowed.
What security problems can this cause?
1. If you distribute the Internet to other users, they all have access to manage your personal account.
2. The same access has all the software that is running on all (your) devices to which you distributed the Internet. Here you can argue that there is nothing, they say, to run incomprehensible (Trojan) software, however, one of the main ways to protect against malicious software is the distinction of privileges. Here we see that any software with zero privileges in the system has access to your personal account.
3. Issues of any XSS vulnerabilities - not studied.
Yes, Megafon itself seems to understand the danger. In the new version of the "Personal Cabinet" (where there is no such vulnerability), a warning hangs:
Two weeks ago I reported this problem to support, but in response I received the following:
Considering that the password of 120 characters (as recommended here ) is not very convenient to dictate over the phone, and that the password, in general, is not needed here, I made a new request with a request to understand without a password. However, I was answered with a standard reply.
It was also found a post on the Internet, indicating that this problem has long existed, or regression.
It's time to write on Habr, I thought.
Maybe this is the problem for me alone? I asked a question on the Toaster - one person responded and confirmed the problem.
UPD : Megaphone fixed the problem with password-free entry. I checked it on my phone - indeed, the check mark remained in the "ban" mode and the ban really works, entering without a password is not possible. Bobro always wins!
Source: https://habr.com/ru/post/264849/
All Articles