Computer Sweden’s Jonas Ryberg on a single link can provide access to the entire telephony system:
When Andrew Timmelstad, IT Manager at Arkitektkopia, recently introduced the Telenor mobile gear Telenor One 2.0, he was initially surprised when he noticed that there was no need to login to access voice messages through the email reminder system sends out. Was even more surprised when he discovered that it was the same link that was sent out every time a new message is received. A clear safety issues, according to him.
– I think to be irresponsible, he said.
As the system is built it may once come across a link to an employee’s voice mail access not only to all the old messages. Since the link is the same over time, the system is open to new messages that arrive after the link has gone astray. The method makes it admittedly easy for users to access their messages, but Andreas Timmelstad is critical.
– There is a limit to how comfortable you can do it for one user and I think they passed, he says.
Anyone have the link can not only listen to voice messages. From the same website, it is also possible to send SMS from the user’s phone number and to forward your phone to another number. In addition there is the whole company’s internal telephone directory, and with it also the organizational structure completely open for a malicious intruder. Neither the links or the e-mails are sent encrypted and can be stolen, for example through the interception of network traffic.
On Telenor think is not that there is something strange that a link to the system will be sent out in an unsecured email.
– There is the same as when you forget a password somewhere so it is sent also in an email or via an sms, says Alexandra Carlsson who is spokesperson Telenor
Andreas Timmelstad is critical to Telenor’s response and are now thinking about how he’ll be able to turn off the feature with emissaries links .
– It’s not good to have the security risk open, says Andreas Timmelstad.
He is supported in his criticism from Marcus Murray who is a security expert at Truesec.
– There is is not “best practice” when building web sending static links that will allow you get a login experience. Normally, one might cakes with a certain life. To do this is not good, he says.
Especially serious look he that the system makes it possible to work around the tvåfaktorsystem with codes that are delivered via SMS or automatically call that more and more sites adopt to increase security at login.
– We find often this type of deficiencies of companies that did not have security audits. I can imagine that if you come from the telephony world, you have not grown up in the region, says Marcus Murray.
Telenor’s solution is is not unique in the industry . Most telephone service gives users access to your inbox in a similar manner through a link, but not all provide access to as many peripheral functions such as Telenor.
No comments:
Post a Comment