Feeds

Flaws in BT chat sites expose users

Oh dear

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

A third party website allowing unrestricted access to Oceanfree and IOL chat sites could enable visitors to view the IP address and domain names of the sites' 'chatters.'

Through the use of a third party website, industry experts have discovered a method for logging into BT Ireland's Oceanfree or IOL chat sites without registering on the system, giving them the ability to impersonate other visitors to the site. What's more, experts have found a vulnerability on the BT Ireland chat sites which reveal not only the IP addresses of other active visitors, but also host names which could be used to pinpoint the physical location of certain visitors.

Responding to questions about the vulnerability of the system, a spokesperson from BT Ireland said efforts would be made to repair the defect. However if a solution cannot be found, "we will need to review the chat servers as a viable entity," the spokesperson told ElectricNews.Net.

Registration systems are commonplace on chat sites and provide chatters with a certain degree of confidence that the people they are talking to are who they say they are. But by logging on to the Oceanfree and IOL chat sites through this third party website, unscrupulous "chatters" can essentially assume any identity they wish.

Another more worrying problem also exists. One industry watcher told ElectricNews.Net that once logged on via this third party site, users can view the IP address and domain (host) name of any other person in the chat room. In these cases, the revealing of the domain name could have quite "terrifying consequences," according to the individual who was among the first to spot the flaw.

"Only last (Tuesday) night I logged into Oceanfree chat to see if this vulnerability had been fixed, the first person I chatted to in the room was a young female. The domain name she was logged in from was clearly accessible. She was working late for a company that only has one office in Dublin, from my home I could have arrived on the doorstep of her office in less than 10 minutes. I'm sure the potential consequences here need absolutely no explanation," said the source.

Generally, people chatting online tend to do so from their home PCs, in which case their domain name would be fairly generic and not location specific. However, if people log on to Oceanfree and IOL chat sites from their workplace or university the domain name could potentially pinpoint their location to a single office, building, or room on a university campus.

Update: On Thursday just before noon BT Ireland informed ElectricNews.Net that it had rectified the security problem by removing the ability for third party websites to link to its chat rooms.

"It is important to note that this third party website did not have permission to link to the chatrooms provided by IOL and Oceanfree," a BT Ireland spokesperson said.

"The privacy of users of these chatrooms is important to BT Ireland and as such we will deny any forbidden access through third party sites," the spokesperson added.

© ENN

Remote control for virtualized desktops

More from The Register

next story
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority
Let’s Encrypt to give HTTPS-everywhere a boost in 2015
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
Got an iPhone or iPad? LOOK OUT for MASQUE-D INTRUDERS
UNjailbroken iOS 7, 8 open to evil, says secbiz FireEye
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.