Sponsored

Possible trivial Phorm opt-in "Exploit" discovered

Mel

ULTIMATE Member
I was doing a tiny bit of research on Phorm last night and it occurred to me that as the Opt-out is cookie based, it should be possible to opt-in an unwilling Phorm ISP customer using cross site request forgery (csrf).

All that's required is an image link which could be hidden on a webpage or in a forum post or blog etc.

Don't worry, no opt-in images here, but you can download my test page from rapidshare.

Download-Link #1: http://rapidshare.com/files/100013497/Phorm_opt-in_exploit.html

You can check your webwise opt-in/opt-out status here http://webwise.bt.com/webwise/
 
Last edited:

Mel

ULTIMATE Member
My webwise CSRF page has been temporarily made available at the following url

PHP:
http://www.toobadcs.co.uk/phorm/Phorm_opt-in_exploit.htm
I haven't made the link clickable so you'll have to copy the exploit URL to your address bar.

Warning by visiting this page Webwise will be enabled on your browser.

Don't forget to opt-out afterwards, or delete the a.webwise.net cookie.

If your ISP plans implementing Phorm/Webwise, then I think it might be wise to block the webwise.net domain.

On second thoughts, it might be wiser to choose a better ISP. :)
 
Last edited:

sentup.custard

ULTIMATE Member
it might be wise to block the webwise.net domain
And, of course, if you're a bit forgetful (who, me? ;)) and have overlooked the fact that you blocked the darned thing about a fortnight ago when the Phorm story surfaced, you will have to temporarily allow it to get Mel's exploit to work in the first place. :rolleyes:

Having done that, yes, it did the job - but just as a minor point, Mel, there's an image top left that isn't showing up, and I don't *think* that's because of anything I've done.
I could be wrong, of course - I usually am. :D
 

Mel

ULTIMATE Member
And, of course, if you're a bit forgetful (who, me? ;)) and have overlooked the fact that you blocked the darned thing about a fortnight ago when the Phorm story surfaced, you will have to temporarily allow it to get Mel's exploit to work in the first place. :rolleyes:

Having done that, yes, it did the job - but just as a minor point, Mel, there's an image top left that isn't showing up, and I don't *think* that's because of anything I've done.
I could be wrong, of course - I usually am. :D
That's the exploit, I said it was really trivial to do.

I could make sure the image wasn't visible, but as it is only a demo I couldn't be bothered.

This flaw took me about two minutes to spot, makes me wonder how thorough the security audit was...:shrug:
 

sentup.custard

ULTIMATE Member
Ah, right - I get it now, I hadn't twigged that it was a "non-image" rather than a "fake image", if you see what I mean, still expected to see something there.
This flaw took me about two minutes to spot
Mmm... doesn't exactly say a lot for the brains behind their system, does it? :hrmph:
 

Mel

ULTIMATE Member
:nod: Yep, your browser send an http request to the "image" url to fetch the image so it can display it, but as it is not actually an image doesn't render it.

As the "image" url is in fact for the Webwise opt-in, the webwise server replies with an opt-in cookie, and hey presto you've been press-ganged into Webwise.

There are more sophisticated ways to achieve a CSRF, I've even read it is possible to forge "referer" , but given that some popular applications strip "referer" from http requests, checking the referrer would not a particularly good approach to prevent csrf.
 
Last edited:

Mel

ULTIMATE Member
Just a tiny bit eh Mel? ;)
:nod: I just wanted to see what the opt-out cookie was like and makes sure my firewall rules blocked the site and I happened to look at a javascript.

As webwise is claimed to protect users against phishing, I suppose I should have made my demo "exploit" turn it off, although given browsers come with effective anti-phishing protection built in, I can't see the point :rolleyes:
 

Kits

Super Moderator
Staff member
ISPreview Team
Mel is very good on finding the loop holes for this it is just annoying that everytime I visit the webpage on the clan hosting I have to delete webwise cookie :) just using it to get me into a routine to check daily for a webwise cookie before I start to visit websites. :D

It is soo nice to do the search and find none
 

timeless

ULTIMATE Member
Staff member
Volunteer Mod
actually lve used my router to block it and that page was the perfect place to do the test...
 

Mel

ULTIMATE Member
Mel is very good on finding the loop holes for this it is just annoying that everytime I visit the webpage on the clan hosting I have to delete webwise cookie :) just using it to get me into a routine to check daily for a webwise cookie before I start to visit websites. :D

It is soo nice to do the search and find none

Well I used to fix software for a living, but it always helps when they are such blindingly obvious ones :D ;)


There's now another csrf test page on the Dephormation site
http://www.dephormation.org.uk/test_page.html
 

Mel

ULTIMATE Member
Thought I should provide a webwise "opt-out" link as I've read the BT webwise site's opt-in and opt-out has recently been temporarily disabled until the trial starts.

The following link will fetch a webwise opt-out cookie http://a.webwise.net/services/OO?op=out

If you are unfortunate enough to be with a "phorming" ISP, then unless they provide a proper (total) opt-out that doesn't involve cookies such as Talk Talk is said to be implementing, then your TCP stream will presumably still be intercepted and modified to trick your browser into providing cross-domain access to the webwise cookie, and according to the register content will still be mirrored to phorm's system, but you won't have a unique tracking ID.

If anyone wants to provide visitors to their website a Webwise opt-out button, hopefully something like the following code would work.

PHP:
<iframe name=hidden_iframe FRAMEBORDER=0 SCROLLING=NO height=1 width=1 ></iframe><BR>
<INPUT TYPE=button VALUE="Opt into Phorm" onClick="frames['hidden_iframe'].location.href='http://a.webwise.net/services/OO?op=in'">  
<INPUT TYPE=button VALUE='"Opt-out" of phorm' onClick="frames['hidden_iframe'].location.href='http://a.webwise.net/services/OO?op=out'">
 
Last edited:

Mel

ULTIMATE Member
Last edited:

butler

ULTIMATE Member
Strange that the PhormukTechteam never commented on this issue.
Not really as they only post with bland utterings that appear to be copy and pasted and they are very good at ignoring "difficult" questions (i.e those that they cannot put a spin on!!) ;)
 

timeless

ULTIMATE Member
Staff member
Volunteer Mod
or argue away with legal bs
 

Mel

ULTIMATE Member
BT and Phorm secretly tracked 18,000 customers in 2006

More secret BT trials... I've got shares in BT, perhaps I should be selling them in case the BT share price gets hit by a very large fine?


http://www.theregister.co.uk/2008/04/01/bt_phorm_2006_trial/

Exclusive BT secretly intercepted and profiled the web browsing of 18,000 of its broadband customers in 2006 using advertising technology provided by 121Media, the alleged spyware company that changed its name to Phorm last year.

BT Retail ran the "stealth" pilot without customer consent between 23 September and 6 October 2006. The technology was approved, pending a further trial*.

Documents seen by The Register show that the companies used the secret profiles to target advertising at broadband customers when they visited certain popular websites.
One senior source in the broadband industry we spoke to was appalled by BT's actions. "This is extremely serious," he said. "Data protection errors are generally viewed as a potentially bad thing by the industry, but not a real threat to an ISP's reputation. This seems like a breach of criminal law, which is much, much worse."

Even during the early phase of the BT/Phorm deal that the technical report describes, the pair were preparing to spin the technology to the public. "121Media [Phorm] will take action (both technical and public relations) to avoid any perception that their system is a virus, malware or spyware and to show that in effect it is a positive web development," BT wrote in the report.

Someone on the cableforum pointed out that Phorm is an anagram of morph, so I guess whoever came up with 121media's new name has a sense of humour.
 
Last edited:

Kits

Super Moderator
Staff member
ISPreview Team
Someone on the cableforum pointed out that Phorm is an anagram of morph, so I guess whoever came up with 121media's new name has a sense of humour.
Or when they were filling in the form coudn't think of a suitable name so spelt form wrong hence phorm... :laugh:
 
Top
Promotion
Cheapest Superfast ISPs
  • Hyperoptic £20.00 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: None
  • Vodafone £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • TalkTalk £22.45 (*36.00)
    Avg. Speed 38Mbps, Unlimited
    Gift: None
  • Post Office £22.90 (*37.00)
    Avg. Speed 38Mbps, Unlimited
    Gift: None
  • Direct Save Telecom £22.95 (*29.95)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Promotion
The Top 20 Category Tags
  1. BT (2509)
  2. FTTP (2196)
  3. FTTC (1657)
  4. Building Digital UK (1606)
  5. Politics (1424)
  6. Openreach (1417)
  7. Business (1238)
  8. Statistics (1098)
  9. FTTH (1072)
  10. Mobile Broadband (1036)
  11. Fibre Optic (967)
  12. Ofcom Regulation (915)
  13. Wireless Internet (906)
  14. 4G (898)
  15. Virgin Media (857)
  16. Sky Broadband (595)
  17. EE (591)
  18. TalkTalk (579)
  19. Vodafone (517)
  20. Security (411)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules