EarthLink flaw exposes domains

A combination of two exploits leaves tens of thousands of encrypted domain passwords open for the Web to see ... and possibly attack.
Written by Robert Lemos, Contributor

A one-two punch of poor security left up to 81,000 domains hosted by Internet service provider EarthLink open to defacement and exploitation for at least a week, ZDNet News learned on Tuesday.

The vulnerability resulted from a recently discovered flaw in an open-source e-commerce package combined with a misconfigured hosting server operated by EarthLink subsidiary MindSpring. As a result, files containing the encrypted passwords for 81,000 accounts were readable by any Web browser.

White-hat hacker and security expert Rain Forest Puppy said the extent of the security breach would rely on how MindSpring and its parent company EarthLink had configured its servers. "You can read files, even gain passwords, but if you can't log in with those passwords, all you can do is trivial stuff," he said. In that case, "it might not be as bad. Odds are, though, you can get to an open FTP server, which would allow a defacement."

A Dog Owner's Network, the site running the flawed software, and EarthLink were both notified of the vulnerability on Tuesday. A Dog Owner's Network has since removed the shopping cart software from its site, while EarthLink has engineers attempting to resolve the problem. No known Web sites have been defaced, exploited, attacked, or otherwise compromised, as a result of this incident.

The first of two flaws resulted from a common error. Web Store, the e-commerce software created by Extropia, failed to check the data it received from an URL for improper formatting. Joining several other makers of shopping cart software, Extropia was notified of the flaw in its open-source product on Oct. 9.

While the company has since fixed the software, the majority of sites using the program have most likely not installed the latest version, leaving them, to some extent, vulnerable. The vulnerability allows any Web user to read files on a server running the e-commerce software. Programmers from Extropia could not be contacted for comments by posting time.

While such a vulnerability could be irritating, a second hole made it more serious. A key file containing the encrypted passwords was left unprotected, giving trespassers the ability to copy the scrambled keys to about 81,000 accounts. Using the critical files, the passwords for the accounts could be decrypted.

A student, who asked to be identified by his online handle "The-Rev," found the hole in MindSpring servers on Oct. 10, a day after the flaw was made public. The student had been browsing for information on dogs when he noticed that ADogNet.com used the vulnerable software.

He tried to contact MindSpring network administrators last week by e-mail. After he received no response, he contacted ZDNet. It is uncertain at this point whether the password files had their access permission improperly set, or if the Web Store software had been running with superuser access. EarthLink is investigating the matter, said David Flammia, director of Web hosting for the Atlanta-based company. Flammia added that the files may be part of an old server that has not been upgraded.

Security consultant RFP stressed that assigning blame for the incident is not a cut and dried matter. "Software is going to have bugs. It's an unfortunate fact of life that is only being proven more so as the days go by," he said. "This MindSpring thing could be as much of a simple misconfiguration as it could be negligence."

Cris Alarcon, administrator of A Dog Owner's Network, said that none of A Dog Owner's Network's customer credit card information, nor high-level passwords, were kept on the MindSpring servers. "We never even store the credit card numbers," he said.

According to Alarcon, in five years of his domain being hosted on MindSpring, this was the first security issue he had ever face.

Editorial standards