Cable Forum - View Single Post - Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Dephormation · 30-05-2008, 08:30

BT CUSTOMERS BEWARE

To repeat last nights warning in plain English...Do not log into the BT site, then visit any Phorm/third party operated BT.com web site.

Sites Potentially Affected Include

webwise.bt.com
www.webwise.bt.com

Explanation

BT seem to be using a 'single sign on' product (called Siteminder) which allows you to log in once and gain access to any BT.com web site without being prompted for your user name or password. This is convenient, you sign on once and gain seamless access to all BT.com web sites.

During the login process cookie values are set for all BT.com web sites (cookies which include your email address, and a security credential which authenticates you to BT.com web sites).

Your browser will present those cookies to any BT.com web site trusting that those sites would not exist without BT consent. This will include BT.com web sites operated by Phorm/third parties outside BT's network, such as webwise.bt.com and www.webwise.bt.com.

This creates a security and privacy risk for the following reasons.

A security risk is created because an untrustworthy third party able to operate a BT.com web site, who is able to impersonate your IP address, and present a copy of your security credential, may be able to access your BT.com services and account details. This is called a replay/spoofing attack, a known security risk in single sign on solutions.

A privacy risk is created because a third party able to operate a BT.com web site has immediate access to your email address, whether or not you choose to enter that information. This allows third parties to link your email address and IP address simply by visiting their web site.

When Webwise/OIX is trialled, third parties would be able to link your email address, IP address and Webwise UID. If you delete your Webwise UID cookie, third parties would be able to link old/new Webwise UIDs knowing your email address.

Cookies Affected

SMSESSION = (Netegrity site minder encrypted cookie)
btcom.userName = (email address)
btcom.dateVisited = (date of visit)

Conclusion

By allowing Phorm to operate a *.bt.com web site... BT may be giving your email address, and security credentials away to Phorm.

Sites like bt.custhelp.com and bt.webwise.com will not be affected (because the browser will not recognise them as BT.com sites).

If my analysis is correct (I'd appreciate independent confirmation by a BT subscriber with Netegrity Siteminder knowledge, or sufficient tech insight to confirm the presence and configuration of the cookies manually) this is a very serious privacy and security flaw.

If I'm proved incorrect I will (of course) immediately post a retraction, but until you hear otherwise you may prefer to log out of BT.com before you visit webwise.bt.com or www.webwise.bt.com.

30-05-2008, 08:30	#7570
Dephormation Inactive Join Date: Apr 2008 Location: Bristol Services: Aquiss.net and loving it. No more Virgin Media, no more Virgin Phone, no more Virgin Mobile. Posts: 629	Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797] BT CUSTOMERS BEWARE To repeat last nights warning in plain English...Do not log into the BT site, then visit any Phorm/third party operated BT.com web site. Sites Potentially Affected Include webwise.bt.com www.webwise.bt.com Explanation BT seem to be using a 'single sign on' product (called Siteminder) which allows you to log in once and gain access to any BT.com web site without being prompted for your user name or password. This is convenient, you sign on once and gain seamless access to all BT.com web sites. During the login process cookie values are set for all BT.com web sites (cookies which include your email address, and a security credential which authenticates you to BT.com web sites). Your browser will present those cookies to any BT.com web site trusting that those sites would not exist without BT consent. This will include BT.com web sites operated by Phorm/third parties outside BT's network, such as webwise.bt.com and www.webwise.bt.com. This creates a security and privacy risk for the following reasons. A security risk is created because an untrustworthy third party able to operate a BT.com web site, who is able to impersonate your IP address, and present a copy of your security credential, may be able to access your BT.com services and account details. This is called a replay/spoofing attack, a known security risk in single sign on solutions. A privacy risk is created because a third party able to operate a BT.com web site has immediate access to your email address, whether or not you choose to enter that information. This allows third parties to link your email address and IP address simply by visiting their web site. When Webwise/OIX is trialled, third parties would be able to link your email address, IP address and Webwise UID. If you delete your Webwise UID cookie, third parties would be able to link old/new Webwise UIDs knowing your email address. Cookies Affected SMSESSION = (Netegrity site minder encrypted cookie) btcom.userName = (email address) btcom.dateVisited = (date of visit) Conclusion By allowing Phorm to operate a .bt.com web site... BT may be giving your email address, and security credentials away to Phorm. Sites like bt.custhelp.com and bt.webwise.com will not be affected (because the browser will not recognise them as BT.com sites). If my analysis is correct (I'd appreciate independent confirmation by a BT subscriber with Netegrity Siteminder knowledge, or sufficient tech insight to confirm the presence and configuration of the cookies manually) this is a very serious privacy and security flaw. If I'm proved incorrect I will (of course) immediately post a retraction, but until you hear otherwise you may prefer to log out of BT.com before you visit webwise.bt.com or www.webwise.bt.com.*