Feeds

Flaws in BT chat sites expose users

Oh dear

  • alert
  • submit to reddit

Security for virtualized datacentres

A third party website allowing unrestricted access to Oceanfree and IOL chat sites could enable visitors to view the IP address and domain names of the sites' 'chatters.'

Through the use of a third party website, industry experts have discovered a method for logging into BT Ireland's Oceanfree or IOL chat sites without registering on the system, giving them the ability to impersonate other visitors to the site. What's more, experts have found a vulnerability on the BT Ireland chat sites which reveal not only the IP addresses of other active visitors, but also host names which could be used to pinpoint the physical location of certain visitors.

Responding to questions about the vulnerability of the system, a spokesperson from BT Ireland said efforts would be made to repair the defect. However if a solution cannot be found, "we will need to review the chat servers as a viable entity," the spokesperson told ElectricNews.Net.

Registration systems are commonplace on chat sites and provide chatters with a certain degree of confidence that the people they are talking to are who they say they are. But by logging on to the Oceanfree and IOL chat sites through this third party website, unscrupulous "chatters" can essentially assume any identity they wish.

Another more worrying problem also exists. One industry watcher told ElectricNews.Net that once logged on via this third party site, users can view the IP address and domain (host) name of any other person in the chat room. In these cases, the revealing of the domain name could have quite "terrifying consequences," according to the individual who was among the first to spot the flaw.

"Only last (Tuesday) night I logged into Oceanfree chat to see if this vulnerability had been fixed, the first person I chatted to in the room was a young female. The domain name she was logged in from was clearly accessible. She was working late for a company that only has one office in Dublin, from my home I could have arrived on the doorstep of her office in less than 10 minutes. I'm sure the potential consequences here need absolutely no explanation," said the source.

Generally, people chatting online tend to do so from their home PCs, in which case their domain name would be fairly generic and not location specific. However, if people log on to Oceanfree and IOL chat sites from their workplace or university the domain name could potentially pinpoint their location to a single office, building, or room on a university campus.

Update: On Thursday just before noon BT Ireland informed ElectricNews.Net that it had rectified the security problem by removing the ability for third party websites to link to its chat rooms.

"It is important to note that this third party website did not have permission to link to the chatrooms provided by IOL and Oceanfree," a BT Ireland spokesperson said.

"The privacy of users of these chatrooms is important to BT Ireland and as such we will deny any forbidden access through third party sites," the spokesperson added.

© ENN

Beginner's guide to SSL certificates

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.