Feeds

Flaws in BT chat sites expose users

Oh dear

  • alert
  • submit to reddit

Internet Security Threat Report 2014

A third party website allowing unrestricted access to Oceanfree and IOL chat sites could enable visitors to view the IP address and domain names of the sites' 'chatters.'

Through the use of a third party website, industry experts have discovered a method for logging into BT Ireland's Oceanfree or IOL chat sites without registering on the system, giving them the ability to impersonate other visitors to the site. What's more, experts have found a vulnerability on the BT Ireland chat sites which reveal not only the IP addresses of other active visitors, but also host names which could be used to pinpoint the physical location of certain visitors.

Responding to questions about the vulnerability of the system, a spokesperson from BT Ireland said efforts would be made to repair the defect. However if a solution cannot be found, "we will need to review the chat servers as a viable entity," the spokesperson told ElectricNews.Net.

Registration systems are commonplace on chat sites and provide chatters with a certain degree of confidence that the people they are talking to are who they say they are. But by logging on to the Oceanfree and IOL chat sites through this third party website, unscrupulous "chatters" can essentially assume any identity they wish.

Another more worrying problem also exists. One industry watcher told ElectricNews.Net that once logged on via this third party site, users can view the IP address and domain (host) name of any other person in the chat room. In these cases, the revealing of the domain name could have quite "terrifying consequences," according to the individual who was among the first to spot the flaw.

"Only last (Tuesday) night I logged into Oceanfree chat to see if this vulnerability had been fixed, the first person I chatted to in the room was a young female. The domain name she was logged in from was clearly accessible. She was working late for a company that only has one office in Dublin, from my home I could have arrived on the doorstep of her office in less than 10 minutes. I'm sure the potential consequences here need absolutely no explanation," said the source.

Generally, people chatting online tend to do so from their home PCs, in which case their domain name would be fairly generic and not location specific. However, if people log on to Oceanfree and IOL chat sites from their workplace or university the domain name could potentially pinpoint their location to a single office, building, or room on a university campus.

Update: On Thursday just before noon BT Ireland informed ElectricNews.Net that it had rectified the security problem by removing the ability for third party websites to link to its chat rooms.

"It is important to note that this third party website did not have permission to link to the chatrooms provided by IOL and Oceanfree," a BT Ireland spokesperson said.

"The privacy of users of these chatrooms is important to BT Ireland and as such we will deny any forbidden access through third party sites," the spokesperson added.

© ENN

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.