Feeds

Flaws in BT chat sites expose users

Oh dear

  • alert
  • submit to reddit

The essential guide to IT transformation

A third party website allowing unrestricted access to Oceanfree and IOL chat sites could enable visitors to view the IP address and domain names of the sites' 'chatters.'

Through the use of a third party website, industry experts have discovered a method for logging into BT Ireland's Oceanfree or IOL chat sites without registering on the system, giving them the ability to impersonate other visitors to the site. What's more, experts have found a vulnerability on the BT Ireland chat sites which reveal not only the IP addresses of other active visitors, but also host names which could be used to pinpoint the physical location of certain visitors.

Responding to questions about the vulnerability of the system, a spokesperson from BT Ireland said efforts would be made to repair the defect. However if a solution cannot be found, "we will need to review the chat servers as a viable entity," the spokesperson told ElectricNews.Net.

Registration systems are commonplace on chat sites and provide chatters with a certain degree of confidence that the people they are talking to are who they say they are. But by logging on to the Oceanfree and IOL chat sites through this third party website, unscrupulous "chatters" can essentially assume any identity they wish.

Another more worrying problem also exists. One industry watcher told ElectricNews.Net that once logged on via this third party site, users can view the IP address and domain (host) name of any other person in the chat room. In these cases, the revealing of the domain name could have quite "terrifying consequences," according to the individual who was among the first to spot the flaw.

"Only last (Tuesday) night I logged into Oceanfree chat to see if this vulnerability had been fixed, the first person I chatted to in the room was a young female. The domain name she was logged in from was clearly accessible. She was working late for a company that only has one office in Dublin, from my home I could have arrived on the doorstep of her office in less than 10 minutes. I'm sure the potential consequences here need absolutely no explanation," said the source.

Generally, people chatting online tend to do so from their home PCs, in which case their domain name would be fairly generic and not location specific. However, if people log on to Oceanfree and IOL chat sites from their workplace or university the domain name could potentially pinpoint their location to a single office, building, or room on a university campus.

Update: On Thursday just before noon BT Ireland informed ElectricNews.Net that it had rectified the security problem by removing the ability for third party websites to link to its chat rooms.

"It is important to note that this third party website did not have permission to link to the chatrooms provided by IOL and Oceanfree," a BT Ireland spokesperson said.

"The privacy of users of these chatrooms is important to BT Ireland and as such we will deny any forbidden access through third party sites," the spokesperson added.

© ENN

5 things you didn’t know about cloud backup

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.