Con Edison website flaw could lead to account hijacking

Updated: A simple, yet easily fixable website flaw puts New York customers who use the utility provider's online service at risk of spoofing and impersonation.
Written by Zack Whittaker, Contributor
A ConEd truck in New York City. (Image: ConEdison)

A security flaw in Con Edison's website can allow an attacker to hijack customer accounts and steal personal information.

ConEd, one of largest utility providers in the US, serves more than three million customers in New York and Westchester County. Despite boasting almost $13 billion in annual revenue and $36 billion in assets, the company still has code on its website dating back to 2010.

Most customers who either type the website's address manually or click the first link off a search result are at the greatest risk, because its online customer portal -- coned.com -- by default is served on an unencrypted connection, yet allows users to log in to their account from that page.

Carrier IQ test

A spoofed version of the unencrypted ConEd website, which shows how an attacker can steal user's passwords. Image credit: ZDNet

Usernames and passwords submitted from the home page are sent to an encrypted HTTPS link. But, when the login page first loads, anything sent between the user's browser and the website is not scrambled. That means anyone on the same network -- such as a hotspot at a coffee shop -- could easily modify the login page to intercept and steal the person's username and password.

"It's not secure," security researcher Kenneth White told me in a message.

A successful attacker would be able to log in as the customer, allowing them to see personal information -- including home address, phone numbers, account numbers, billing history and copies of mailed correspondence.

White showed me how easy it would be for an attacker to impersonate an unencrypted website -- like ConEd's -- which could trick a user into entering their username and password to an attacker.

By modifying my computer's "hosts" file, White was able to trick my browser into redirecting "coned.com" to one of his own servers. Although my browser's address bar said "coned.com," the actual page was hosted on one of White's servers.

Other attacks are possible, through techniques such as DNS hijacking, which could enable an attacker to redirect any visitor from ConEd's site to their own site.

But what's easier and more likely is an attacker could register their own similarly-looking domain name and trick users into visiting through an email phishing campaign. White said, "On most mail readers or phones, you couldn't tell the difference."

HTTPS connections don't just ensure the data between your browser and the server are secure, they also ensure the site's integrity. Sites that are secured with a green padlock are almost impossible to manipulate, ensuring what you see is how the site's makers intended it.

Mike MacCana, founder of EV SSL provider CertSimple, told me in an email that sites with an extended validation certificate -- which his company provides -- can help protect sites from being impersonated. He added said the site's issues could be easily fixed.

"The website should redirect from HTTP to HTTPS by default," said MacCana. "All sites should do this in general, but particularly for sites like ConEd, where usernames and passwords are being sent on the front page."

White said it is "utterly irresponsible for modern sites handling credentials to not be rendered [through] mandatory HTTPS," particularly ones that have access to billing or payment information.

"It's unfortunately still a widespread problem -- in the commercial world and for government sites," he said.

ConEd is by far from the only site that has an aging website with flawed, outdated code.

On Monday, tech site Motherboard reported that a number of US military websites contain "serious" vulnerabilities that too are "trivial" to hack. According to the report, one bug allowed a hacker to "trick the site into revealing the contents of a database containing personal information on [Defense Dept.] employees, such as employees' names and home addresses."

"The web isn't broken because of sophisticated vulnerabilities, it's broken because so many ignore basic first principles," said White.

A ConEd spokesperson confirmed that the login box on the main page was removed following the publishing of this story.

"You'll click a sign in button now, and then go to a secure page to type in your username and password," said spokesperson Michael Clendenin.

Editorial standards