Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Wanadooops! Flaw Reveals User Data

Indexing flaw in the systems of Europe's top broadband ISP reveals personal data of many UK customers

One of the U.K.'s top broadband Internet service providers is investigating a flaw that allowed attackers to harvest personal information about its users and post it on the Internet.

Users on a Wanadoo user bulletin board earlier this week reported a vulnerability in Wanadoo's account recovery system servers that lets any browser user pull down the name, user ID, password, email address, and Web space subdomain of many Wanadoo U.K. customers.

In a statement, Wanadoo confirmed that "a small number of links to files containing customer details have been posted on the Internet." The company said it has taken down the sensitive information and has alerted the customers involved to change their passwords. However, Wanadoo hasn't yet fixed the problem: "An investigation is currently taking place to uncover how this happened and ensure that this does not happen again," the statement said.

According to "Gammarays," an anonymous user who posted the vulnerability, Wanadoo incorrectly configured its account recovery Web servers, allowing the user to view the contents of an entire folder instead of a single index page. A criminal could use the flaw to collect all the names in the folder and/or take control of the affected users' accounts.

Another anonymous user on the bulletin board said he tried the exploit, and was able to view, more than 20,000 Wanadoo customer records. He succeeded in downloading 6,896 of the records, even after Wanadoo said it had taken down the information.

User group postings indicate that the flaw could be up to two years old, but it apparently had not been reported to Wanadoo until this week.

A Wanadoo spokesman declined to answer questions about the details of the vulnerability, but he confirmed that the data leak was limited to Wanadoo UK, which supports some 2,025,000 customers. Wanadoo SA, Wanadoo UK's parent company and a part of France Telecom, is Europe's top broadband service provider with more than 8 million customers.

— Tim Wilson, Site Editor, Dark Reading

Organizations mentioned in this story

  • France Telecom SA (NYSE: FTE)
  • Wanadoo SA
  • Wanadoo UK

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-16772
    PUBLISHED: 2019-12-07
    The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
    CVE-2019-9464
    PUBLISHED: 2019-12-06
    In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
    CVE-2019-2220
    PUBLISHED: 2019-12-06
    In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
    CVE-2019-2221
    PUBLISHED: 2019-12-06
    In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
    CVE-2019-2222
    PUBLISHED: 2019-12-06
    n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...