Sep 16, 2008

WebSMS password security

Boredom can breed a lot of bullshit where I'm from, and this just happens to be one of those thing. A couple of days ago I was bored out of my skull and thought I'd have a look at the security on everybody's favorite website. Yes that's right. Dhiraagu's WebSMS!!!

Long story short There are a lot of stupid design flaws for a company of Dhiraagu's standing.
Let's go over what we know then shall we?

1) The sign up process is fairly simple and straight forward. You give
then a name (first and last), a username and your cell number.

2) They send you a confirmation sms with your password. These passwords are by default made up of FOUR upper case letters in various combinations. I cannot verify how random they are. we all know nobody really changes these. (which you should!)

3) Four letters? I mean cummon! That's only like 26P4 = 358800 combinations. Which say by brute forcing at about 5 passes/sec is a total of 71760 seconds - roughly 20 hours and more than reasonable time to crack one.Edit : Turns out the above calculation is wrong. It's actually 264=456976 combinations, which adds about 5 hours to the total time estimate above.

4) The redirects for when you enter an invalid username, and when you enter an invalid password (correct username) are different; revealing far more information than it should. i.e, a would be attacker can check if a given username exists or not.

5) Non of the traffic,absolutely non of it is encrypted - making it so very very easy to sniff. They even use "password" as the name for the form field so that should make dsniff pretty happy I think.

Right then, so how easy would it be for say, ME, to write a script based on the above information and crack such a password? VERY easy. I mean all I'd have to do is generate all password combo's (in bash that's as easy as typing "echo {A..Z}{A..Z}{A..Z}{A..Z}" ) , and try them one at a time until I'm redirected to the right page...right? Forget writing stuff, there are already pretty strong bruteforcers out there.

so basically what I'm trying to say here is CHANGE THAT DEFAULT PASSWORD!!!


Post a Comment