Possible leakage of personal data or how Dom.ru gives full access to your account via the link from http
The vulnerability was first discovered on 06/26/2020, as the author immediately reported technical support to Dom.ru. The author long and hard tried to solve the problem non-publicly, but met her complete misunderstanding by technical experts. The provider assures that the author’s case is single, but today other sources have confirmed the existence of the problem. The author does not publish anyone’s personal data and does not call for illegal actions. Writing this article is a necessary measure.
Although, if the provider directly says that everything is fine, then the publicly available description of the work of its services should not bear any risks.
What is the point?
A large Internet provider Dom.ru intercepts the user's http-traffic and, from time to time, redirects it to its advertising page instead of the target one. In the body of the advertising page, the provider sends a link to configure or unsubscribe from advertising notifications, which leads to the user's personal account. This link allows full access to the user's personal account without entering a username and password and allows you to do this from anywhere in the world. The advertising page is transmitted using the unencrypted http protocol. This means that on any site (or even through sidebar ) between you and the server responsible for issuing advertising pages (info.ertelecom.ru), a leak could occur, and it does not matter that the personal account itself, after clicking on the link, works via https.
Has my data leaked?
The provider itself will not tell you exactly right now. If you have ever seen a similar page open over the http protocol at least recently, then you are prone to leak.
How to protect yourself?
- Go to the settings of your personal account, then at the bottom of the page select "Set up notifications from Dom.ru" and, at least, turn off all browser ads.
- If you have recently seen an advertising page, then you just have to hope that the data has not leaked and that the provider will soon ban access to backdoor links. At least for the already "lit up."
- If you have never seen such an ad, then you can only hope that disabling browser advertising will help. I don’t have reliable data, but habrausers in another topic mentioned that other ads were showing despite being disconnected.
Details. What could leak?
The first vulnerability was found 06/26/2020. I have no data on how long until 06/26/2020 this vulnerability was active. 07/02/2020 I received a screenshot from another subscriber on which the page was opened using the https protocol, but 05/07/2020 I received another screenshot with an advertising page open by http, which indicates that your data may still leak, even if you've never seen an ad page before. I tried unsuccessfully for a long time to draw the attention of the provider’s technical specialists to the problem. In the screenshot at the end of the article, the last message from the provider to me on 04/04/2020.
And now about the backdoor link itself. At the bottom of the advertising page there is a standard link to unsubscribe from advertising notifications. Here's what it looks like:
city_id - two-digit number, token - alphanumeric sequence of the 31st character.
When you click on the link, full access to your personal account, its administrative functions, such as changing the tariff, and personal user data is opened:
- Full name
- Address of residence accurate to the apartment
- Full bank card number, if the card was added to the office, masked with just two asterisks
- Phone number disguised with 4 stars - it’s easy to bind to the existing telephone database by city, name
- Customer account balance
- Your television preferences for add-on packages services
and other data.
Of the good ones, the provider does not provide any service like a domra wallet, or another way to withdraw money from the balance. You will get money only if the attacker connects to the services.
Nevertheless, the fact that cybercriminals may have another set of data about you, sometimes quite rare data, does not bode well.
- Social engineering. An attacker may introduce yourself in a telephone conversation with a bank or other organization. The data set for blabbering is now expanded.
- Phone fraud. The pseudo-security speech from the bank will be even more personalized. They will tell you where you live and what is your bank card number, knowing only the phone number and name before.
I don’t know if the provider knows how to tear out http pages from the body of unencrypted requests to socks and http proxy and put ads in their place.
Also, I do not know how many backdoor links could already leak, which means how many of them can still be used.
My personal opinion is that, in principle, there should not be such a link. Even transmitted over https. In this situation, the link should lead either to an unauthorized account, or to a small form of unsubscribing from the newsletter, but in no case to the full version of your personal account. Even if the security of the transmission of such a link is guaranteed, users of your home Internet are not always reasonable. A child who sees such an advertisement can arrange a surprise for parents in the form of connecting a new high-speed tariff. After all, the tariff is high-speed, and it was shown in advertising.
I’m not going to speculate, but even with a secure link transfer, in the worst case scenario, it may be available to very many provider employees. I have no confidence that it is not logged in the access logs of application servers, just as passwords should not be logged. I have no confidence that the token, as a convenient replacement for the user ID, is not used in those. support. The temptation to use such a link “on the side” can be very great if it lies and is accessible anywhere, and its use is not monitored in any way. Provider such activity, if ever and track, then finding the culprit will be very problematic. And in the end, it’s clearly not worth creating extra temptations and risks where this can be avoided.
Regarding whether it was done so purposefully, and not by mistake, I’m not going to speculate either.
The provider calls this link pass-through authorization, but I believe that this is not so. What do you think?
I would like to put the latest answer from the provider on the cake.
- The page magically appears immediately in my router, and the intermediate nodes in the trace seemed to me.
- I don’t know what tokens have a lifetime, but I can still log in with the token from 06/26/2020 (not the fact that they didn’t hijack it either). And on 07/05/2020 I received another token from my account. Both are valid at a time.
- And generally the user browser is to blame.
By the way, I got the second token in another browser.
And 07/05/2020 I was even lucky to catch the next package on the router interface.
The browser is to blame
17:04:27.910885 IP (tos 0x28, ttl 126, id 54321, offset 0, flags [none], proto TCP (6), length 415) айпи_сервера_целевой_страницы > мой_динамический_айпи: Flags [P.], cksum 0xad30 (correct), seq 1:376, ack 731, win 65534, length 375: HTTP, length: 375 HTTP/1.1 303 See Other Cache-Control: no-cache,no-store,max-age=1 Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Connection: close Content-Length: 13 Location: http://info.ertelecom.ru/?campId=айди&machine=perm&ourl=адрес_целевой_страницы
07/06/2020 I received a report from another source about opening an advertising page via http.
Instead of a conclusion
I still do not dislike the provider, although, I think, many in my place would have experienced acute anger. I understand that the human factor can sometimes be very strong. I never pursued the goals of making someone bad - this is not about me. My goal is to finally reach out to the provider and warn you. And you warn your friends and relatives.
Like many companies, Dom.ru does not have a bug bounty program. I urge all readers to never go on about the momentary “black” gain.First of all, you act against people like you, and not “systems”.
I would like to ask a couple of questions to the Habrovsk citizens.