Weak Authentication

Recently I decided that I would no longer maintain my subscription to the local newspaper, The News and Observer.  Like many people I find that I get most of my news online these days and didn’t want to continue paying for something I didn’t use.  I decided to look at their web site to see if I could cancel my subscription online.  This is where I discovered that the uses a terrible authentication mechanism that can lead to the disclosure of personal information and unauthorized changes to paper delivery and other subscription options.

The crux of the problem is that the web site relies on publicly available information to authenticate subscribers.  Below is a screenshot of the subscriber login screen.

As you can see, all that is required to login to a subscriber account is a phone number and house number.  Both of these pieces of information are easily obtained online for most people.  After authentication, you have access to the subscriber’s account where you can gain additional information about the them.  The most important information that you can get access to is the subscriber’s email address.  This would be useful to scammers who could setup a fake site that resembles the real, send the subscriber an email telling them that they need to update their account information, and then obtain their credit card or other financial account data.  Below is a screenshot of my account home page.

Another thing that you can do within the subscriber section is manipulate delivery options.  For example, you can put stops on delivery or extend your subscription.  This would allow an unauthorized person to put a hold on someone else’s paper delivery or even change the length of their subscription, both of which could have a financial impact on the subscriber.  Below is a screenshot showing the ability to change these options.

Lastly, subscribers are able to change their personal information such as email address and phone number.  There is also a check-box to disable email notification of account changes.  A scammer could use this option to prevent notifications from being sent to the subscriber after he made changes to the account.  By updating the email address and phone number to one of his choosing, he may even be able to use social engineering to obtain credit card information from an N&O customer service representative.  Below is a screenshot of the page that allows a subscriber to change personal information.

Such a weak authentication mechanism is inexcusable for the second largest newspaper in the state of North Carolina.  With over 750,000 print and online readers, there are many opportunities for scammers to use this weakness to obtain subscribers’ personally identifiable information and potentially additional financial information.  It would not be difficult to automate a process for gathering phone numbers and house numbers for prominent people in North Carolina, many of whom are likely to subscribe to the News and Observer, attempt to login as these individuals, and obtain their email addresses.  With such a list in hand, it would be possible to send them fake emails appearing to be from the N&O that could trick them into divulging their credit card numbers.

I have contacted the to report this vulnerability to them.  Remediation is not difficult.  There are many types of authentication mechanisms that work well and the OWASP has a great site dedicated to this topic.  I hope that they take advantage of it to correct this issue.

5 Responses to “ Weak Authentication”

  1. lance miller says:

    Did they even respond to you inquiry?

  2. Jon says:

    Great article which brings this issue to light. Unfortunately for the N&O, this is likely not entirely their fault. I worked at a newspaper before, and a product called Chatterbox by ISD handled our subscriber services web site. While I don’t know for sure that the N&O uses Chatterbox, it seems to work exactly the same way with regard to authentication. I spoke with Chatterbox about security during our implementation and they simply didn’t care that a phone book was all you needed to gain access to a subscriber’s account.

    I place blame on both parties. Chatterbox should be held responsible for designing horribly insecure software. But the local newspaper should be held even more responsible for choosing a vendor which offers little to no security. I fear that the newspapers often value their budget above their subscribers. A dangerous thing to do since alienating their subscribers, something newspapers are very good at, is what lead them to their present situation.

  3. Ron Martz says:

    Thank you for making us aware of this flaw and more exposure of our personal information. I just subscribed yesterday and wish I wouldn’t have now.

  4. admin says:

    Sorry so late responding. The N&O never did answer my email (other than the auto-reply from their help desk). Sad, but unfortunately not unexpected.

  5. Mark Baldwin says:

    No resolution from the N&0.

Leave a Reply

Your email address will not be published. Required fields are marked *