Monday, December 05, 2005

TM Net Online Services Security Breach

I was trying to access TM Net Online Services via Firefox earlier today to check on my streamyx bill. I click on latest bill and was shown the 3 most recent 3 bill available. I click on the button for English version and nothing happened. I was like...is this another IE only website? Anyway, being curious and nosey today, I looked into the source. Seems like it is just using JavaScript to load a new URL based on the selection you have made. Maybe Firefox was unable to render because they never encode the URL string. Anyway, that's not my story today. Being curious as to how will TMNET prioritize security, I tried to cheat it a bit. To my horror, I was able to pull out other subscriber's information easily. I was able to pull up other subscriber's bill. On those bills are their amount owing, mailing address, account no and user id. Imagine this information falling into evil hands. Anyway, I think you must be pretty excited as to how to cheat the system. Just login to https://tmbill.tm.net.my and generate your own bill. After that just change the number to any random number and if you are lucky you will hit other ppl's bill. Example : https://tmbill.tm.net.my/SelfCare/Maintenance/invoiceTemplate.jsp?language=ENG&invoicePoid=0.0.0.1%20/invoice%204450807148%200 You should change the number after "invoice%20" sans quote and before "%200" sans quote. Please do not misuse the information. Based on my assumption, just increment or decrement the last number will easily get you more bills.

3 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. I did the same thing few months back when trying to access my bill with Firefox, but I never thought of changing the numbers between the invoice... TMNet needs to fire the vendor who wrote this application. Hope is not your company though :P

    ReplyDelete
  3. I do not know who's the vendor, definitely not my company, I doubt I would let such a thing happen if I have a say. If you notice the codes, it is commented that the code is maintained by Jenny Lee, Annie and NLL between 2004 and June 2005. You know any of them? Doesn't sound like X-Men to me. Too bad.

    ReplyDelete