iDEFENSE Security Advisory 06.10.2002 Datalex BookIt! Consumer Password Vulnerabilities DESCRIPTION Datalex PLC's BookIt! Consumer stores and transmits passwords in clear text. BookIt! is a suite of travel booking products that allows airlines, travel agencies and other travel enterprises to sell travel reservations via a web based portal. BookIt! is used by many corporations including Amtrak, as noted on their company website (http://www.datalex.com/company_clients.asp). By default, BookIt! Consumer does not handle passwords securely. Specifically, the following two vulnerabilities exist: 1. When generating or updating a profile, the user is presented with the following three options: * Save User ID to this computer? * Save User ID and Password to this computer? * Don't Save User ID and Password to this computer. If either of the first two options are selected, the user ID and/or password are stored in a cookie in clear text. The cookie uses the following format: bookituserid1055 user_ID powered.gohop.com/JBookIt 1536 3759767808 29567477 812114976 29494044 * bookitpassword1055 password powered.gohop.com/JBookIt 1536 3759767808 29567477 812274976 29494044 As seen above, the user ID and password are clearly visible. It should be noted that tickets.amtrak.com uses "Save Amtrak User ID and Password to this computer?" as its default setting. 2. When updating a profile, certain sites (e.g. tickets.amtrak.com) pass all form variables, including passwords using the GET method. The following web sites contain the aforementioned vulnerabilities: * http://powered.gohop.com/backpacker/home.htm * http://tickets.amtrak.com SOURCES Datalex, http://www.datalex.com, June 3, 2002 Jim Peters, Jim.Peters@datalex.com, June 3-5, 2002 ANALYSIS Storing authentication credentials in cookies is never a good idea as cookies can be stolen through cross-site scripting attacks or local access to the hard drive. Once cookies have been stolen, an attacker can gain access to the vulnerable site and masquerade as a legitimate user. This vulnerability is enhanced when authentication credentials are stored in clear text. In this situation the username and password can be obtained merely by viewing the cookie contents. Passing sensitive variables such as passwords in the URL using the GET method may expose the authentication credentials to attackers. URLs may be stored in proxy or web server log files. Anyone that has access to the logs will be able to view the user's credentials in clear text. VENDOR RESPONSE Datalex Bookit! Consumer prior to version 2.2 is vulnerable. According to Datalex, version 2.2 and above encrypt passwords using the Tiny Encryption Algorithm prior to storing them in a cookies. WORKAROUND Users can prevent having authentication credentials stored within cookies in clear text by using the "Don't Save User ID and Password to this computer" option when creating or updating user profiles. Reconfiguring the web server to pass form variables using the POST method could prevent the second vulnerability. VENDOR FIX Upgrade to Bookit! Consumer version 2.2 by contacting Datalex. Michael Sutton, CISA Senior Security Engineer iDEFENSE Labs 14151 Newbrook Drive, Suite 100 Chantilly, VA 20151 direct: 703.344.2628 voice: 703.961.1070 fax: 703.961.1071 msutton@idefense.com www.idefense.com