I just wanted to let the readers of this list know that this issue is not necessarily in Checkfree code... this issue could be due to an interface coded by USPS to a Checkfree product. I also wanted to note that Checkfree was not notified by Matthew Dent about this issue as you can see from the dialog below. I only mention this because Matthew made note that he got NO vendor response. In closing the way Matthew worded his advisory "Other Checkfree portals" may also be vulnerable, may not be a correct statement as you can see that Matthew himself assumes the interface or portal was coded by USPS themselves. *My views and opinions do not necessarily reflect the views of my company* -KF Matthew Dent wrote: > I did not notify anybody at Checkfree directly. Based > on the URL's involved and other information, I assumed > that USPS probably coded it themselves (more likely > hired it coded by someone else). > > I notified USPS through their online "message" feature > using the "unexpected system operation" (or something > like that) tag. I only mentioned Checkfree's name > because I know that USPS uses them (you) on the > back-end. > > Matt D. > > --- KF <dotslash@snosoft.com> wrote: > >> I happen to work for Checkfree... whom did you >> notify at our >> Organisation if anybody and did you notify? I am not >> sure if we >> coded it or if They did... >> -KF >> >> Matthew Dent wrote: >> >>> AFFECTED: >>> >>> Users of USPS Online BillPay Service. It is >> >> unknown >> >>> whether other checkfree portals are vulnerable to >> >> the >> >>> same problem. >>> >>> OVERVIEW: >>> >>> Failed username/password results in plain-text >> >> return >> >>> of submted password. If the USERNAME was the >>> incorrectly typed piece, this will result in a >>> plain-text version of the user's password to be >>> retrievable using the 'VIEW SOURCE' browser >> >> option. >> >>> DESCRIPTION: >>> >>> The USPS Online BillPay service utilizes a >>> username/password combination for access to their >>> service. >>> >>> Users enter their username/password to gain access >> >> to >> >>> their account. >>> >>> If a user mistypes the username or password, a >>> pre-filled out form is returned to the user which >>> INCLUDES the password that was entered on attempt. >>> >>> >>> IMPACT: >>> >>> If the user mistyped the username but correctly >> >> types >> >>> the password, the plain-text password is returned >> >> to >> >>> the browser and is viewable by using the back >> >> button >> >>> and the "view source" option of the browser. >>> >>> >>> SOLUTION: >>> >>> END-USER >>> >>> The only known workaround is to configure the >> >> browser >> >>> to not cache pages at all. This will prevent the >>> ability to use the "back" button, however, if the >>> returned page is on the screen, using "view >> >> source" >> >>> may still display the information. >>> >>> VENDOR >>> >>> Re-code the application to not return the password >> >> in >> >>> the "login-failed" form that is displayed. This >>> should be a relatively easy solution. >>> >>> >>> >>> VENDOR NOTIFICATION >>> >>> USPS BillPay was first notified 1/1/2002 and given >> >> a >> >>> "respond by" deadline of 1/17/2002. This >> >> notification >> >>> occured from within their online customer care >>> interface. Complete and accurate contact >> >> information >> >>> was included. >>> >>> When no response was obtained, a second >> >> notification >> >>> was sent on 1/16/2002 with an extension until >> >> 00:00 >> >>> 1/19/2002 -- at which time this information would >> >> be >> >>> posted to BUGTRAQ. The original message >> >> (including >> >>> complete contact information) was included. >>> >>> >>> VENDOR RESPONSE: >>> >>> None to date. >>> >>> >>> Matthew Dent >>> dentm@yahoo.com >>> >>> __________________________________________________ >>> Do You Yahoo!? >>> Send FREE video emails in Yahoo! Mail! >>> http://promo.yahoo.com/videomail/ >>> >>> >>> > > > __________________________________________________ > Do You Yahoo!? > Send FREE video emails in Yahoo! Mail! > http://promo.yahoo.com/videomail/ > > >
