Prodigy Email Vulnerability Exposes Thousands of Accounts and Puts Millions More At Risk In Mexico…

Over the past few weeks I have been working with  El Economista on the discovery and disclosure of a massive security hole in Prodigy’s  (Telmex) mobile email and web based mail systems in Mexico.

The hole has exposed at least several thousand email accounts, even enabling the indexing of email accounts and messages by Google and  putting all Telmex customers who have an email on the Prodigy.net.mx and several other domains at risk.

It is recommended that all users that have an email on any of these domains immediately change the passwords on their account and any any other account that shares the same login credentials:

  • prodigy.net.mx
  • prodigymovil.com
  • prodigymedia.com
  • infinitummail.com
  • correoinfinitum.com
  • prodigywifi.com.mx
  • correoprodigy.com
  • infinitumzone.net
  • nombre.mitmx.net

The security hole involved an application bug and server misconfiguration on a specific domain webmail2.prodigy.net.mx. The application serves as both the mobile email and webmail client application for Prodigy customers. If any user has logged into the webmail or wapmail application it is safe to assume that that email account has been compromised.

In Mexico, Prodigy is the main ISP with an estimated 92% of market share and up until September 15, 2010 prodigy.net.mx served as the default email for residential customers, so the vast majority of users of the Prodigy services also have a Prodigy email account.

The application in question did not have proper authentication in place, once a customer logged into their email account all that is needed by anybody to access is the URL with the customer ID parameter, no additional authentication is required either by that user on that system, or ANY system. There was no session timeout.

Screen Shot 2013-08-04 at 1.13.05 PM

Once a user logs into their account, anyone can access that users account via the URL, with no additional authentication required. Having access to  the URL granted anyone full access to that person’s email account, all emails sent and delivered to that person as well as the ability to send email on that person’s behalf.

To make matters worse  the URLs to access user email accounts were being indexed by Google.  I am assuming it was through the automated creation of a Google sitemap that was submitted to Google on a regular basis which in turn led to individual email messages being indexed.

I disclosed the issue to Google and they have removed all of the exposed email account pages and email messages from their search results and cache ( within 48 hours ).

prodigy1

Search results showing email accounts and email messages of Prodigy users

At the time  there were over three thousand pages of email account information that was indexed in their systems.  However as I do not know how long the hole has been exposed to Google there is no way to no if more email accounts and messages were exposed. This page and script were setup around March of 2010, so I am assuming that is how long the vulnerability has existed.

The security issue has also been disclosed to Telmex who appear to  have fixed the immediate problem and are continuing an “audit of their security protocols.” However when evaluating the application I found that there are other issues with the webmail and mobile email portal, specifically the fact that all logins are done via an unsecure (non-SSL) connection.

Anyone logging into a these email accounts from a public Wi-Fi hot spot can easily have their credentials intercepted. For those customers that are using these email addresses I would recommend users stop using these email accounts altogether as they are not secure.

At the very least these users should change their passwords and not access email at all on mobile devices or webmail through any open or unsecured Wi-Fi. I should note that SSL is not even an option for logging into the portal as all SSL ports are disabled, so there is no way for users to secure their authentication even if they wanted to.

To assist Telmex further I ran a vulnerability assessment of the server hosting the compromised application and found that it does not appear to have been patched since 2010 and is running old versions of Apache and PHP with known vulnerabilities and many accompanying exploits. There were over 78 patchable vulnerabilities on the server, 15 of which are critical.

 

Related Articles:

P.S. Have you met John Powers, supernatural CISO?

 

Title image courtesy of ShutterStock

Categories:

Tags: , , , , , , , , ,


Ken Westin

Ken Westin has contributed 97 posts to The State of Security.

View all posts by Ken Westin >