Feeds

Flaws in BT chat sites expose users

Oh dear

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

A third party website allowing unrestricted access to Oceanfree and IOL chat sites could enable visitors to view the IP address and domain names of the sites' 'chatters.'

Through the use of a third party website, industry experts have discovered a method for logging into BT Ireland's Oceanfree or IOL chat sites without registering on the system, giving them the ability to impersonate other visitors to the site. What's more, experts have found a vulnerability on the BT Ireland chat sites which reveal not only the IP addresses of other active visitors, but also host names which could be used to pinpoint the physical location of certain visitors.

Responding to questions about the vulnerability of the system, a spokesperson from BT Ireland said efforts would be made to repair the defect. However if a solution cannot be found, "we will need to review the chat servers as a viable entity," the spokesperson told ElectricNews.Net.

Registration systems are commonplace on chat sites and provide chatters with a certain degree of confidence that the people they are talking to are who they say they are. But by logging on to the Oceanfree and IOL chat sites through this third party website, unscrupulous "chatters" can essentially assume any identity they wish.

Another more worrying problem also exists. One industry watcher told ElectricNews.Net that once logged on via this third party site, users can view the IP address and domain (host) name of any other person in the chat room. In these cases, the revealing of the domain name could have quite "terrifying consequences," according to the individual who was among the first to spot the flaw.

"Only last (Tuesday) night I logged into Oceanfree chat to see if this vulnerability had been fixed, the first person I chatted to in the room was a young female. The domain name she was logged in from was clearly accessible. She was working late for a company that only has one office in Dublin, from my home I could have arrived on the doorstep of her office in less than 10 minutes. I'm sure the potential consequences here need absolutely no explanation," said the source.

Generally, people chatting online tend to do so from their home PCs, in which case their domain name would be fairly generic and not location specific. However, if people log on to Oceanfree and IOL chat sites from their workplace or university the domain name could potentially pinpoint their location to a single office, building, or room on a university campus.

Update: On Thursday just before noon BT Ireland informed ElectricNews.Net that it had rectified the security problem by removing the ability for third party websites to link to its chat rooms.

"It is important to note that this third party website did not have permission to link to the chatrooms provided by IOL and Oceanfree," a BT Ireland spokesperson said.

"The privacy of users of these chatrooms is important to BT Ireland and as such we will deny any forbidden access through third party sites," the spokesperson added.

© ENN

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.