09 Jul 2015

Telkom_logoThis is a follow up to my post on the man-in-the-middle attack that Telkom continues to use, as well as to the Telkom response in the awesome TechCentral article and new thoughts brought about by the Reddit post.

A real threat

Shortly after I posted my article I was contacted by someone (let us call them Person X ) who went snooping based on my post and found that Telkom did indeed have a major security flaw in the system. We agreed to hold on sharing the information publically until Telkom fixed it or enough time had elapsed to show they didn’t care. Telkom appear to have fixed it, as far as I can tell, so let us dig into this major attack vector.

Recapping the content that is served to you is made up of three pieces:

  • JavaScript – this is appended to other JavaScript to ensure it runs and the entire modified JavaScript is returned from a specific server. This server is only visible on the Telkom ISP network.
  • HTML – bit of HTML is loaded, once again from the same server as above.
  • Image – the graph showing you the usage is a static image served from a server which is (oddly) available everywhere: http://images.telkomsa.net/

Person X, realised that the images came from a folder ibn and that folder had directory listing enabled, which isn’t a good practise but, normally, not a major security concern. What the directory listing showed, besides the files, is the version number of the server which was (at the time) 2.0.52.

Apache 2.0.52 was released in November of 2004… 11 years ago and has NUMEROUS security flaws. There is no reason to run this version at all, it is insecure and points out a major security procedure flaw in Telkom. Using one of the flaws, it was possible to replace the specific image on the server with anything you wanted. For example, you could swop the image file with a flash file that would enable you to use one of the recent zero day attacks against flash and leveraging Telkom’s system to deliver said flash file to the user for you thus allowing you to own the target machine.

Remember this popup only shows to people who meet the following three requirements:

  1. Telkom ISP client
  2. At or near their limit
  3. Have not opted out

I would assume that the tech savvy of Telkom's users have opted out, and those near their limit are soft capped, meaning that security patches are slower to get to them. In short, it is the most vulnerable group who would be targeted. Scary right?! Let us hope Telkom fixed all the issues with that server and all the others.

Comments on Telkom’s choice wording

I am really happy Telkom has responded and is fixing things, that is all I wanted. That said, their choice of wording and delay on commenting until they fixed the issue is interesting. Let us break down their response and I am avoiding nit-picking since I could do a lot of that too.

In technical terms, we refer to it as an HTTP redirect

That is true. It is an HTTP redirect, but the manner it is used in is not the traditional sense of an HTTP redirect where the destination server tells the client to go somewhere else. Here a man in the middle (see what I did there Smile with tongue out) is doing the telling, and thus I chose the term MITM attack as the description. It is not an exact description, but it is a description that describes the entire scenario and not just one choice aspect.

HTTP redirect is a common mechanism used in service provider networks for content caching and to optimise video streaming

True again. That said, in those scenarios the service providers are not changing the content merely the destination to be better for the user. Telkom is changing the JavaScript content, there is a fundamental difference there.

does not alter the Web service content

In my previous post, I showed they are changing the JavaScript content, so that is pretty wrong.

is not a security risk

See above and then realise it was only true when it was said, not the day before. 

will not ‘break’ a website

The web  is a big place, it is impossible to know that. I also wonder why break is in quotes – is there more than one definition of break?

Performance impact

How bad is the download size issue really? It is 200k of data, it is all local so latency is low and the image URLs are constant so caching can happen to them. Also if Telkom is smart, then they are not counting this towards your cap. You will likely find that if the JavaScript is loaded in the header of the HTML page it could slow down rendering more than it could slow down network I/O. My gut says that it is insignificant in the grand scheme of things and I don’t believe I got that across well before. I personally feel, Telkom as an ISP, should be squeezing every drop of performance out and this would be a great start. Enough drops will fill a bucket.

Tags: 

Comments

Quintin van ROoyen's picture

Hi. On uncapped accounts this usage tracking is not applicable. Could you do a tracepath to an affected site and let me do it to the same site and let's compare hops?

Add new comment