Parameter tampering flaw allowed Pwnedlist to get pwned

Pwnedlist - which provided data on billions of pwned credentials - contained a flaw that allowed users to monitor breaches for arbitrary domains.

Pwnedlist: over 1 billion customers served
Pwnedlist: over 1 billion customers served

Pwnedlist, a website that maintains a list of other websites that have been breached, has itself been breached.

According to a report by Krebs on Security, a vulnerability discovered by a security researcher exposed 866 million account credentials collected by Pwnedlist. The researcher, Bob Hodges, found the problem when he was trying to add a couple of domains he administered to a watchlist.

"Hodges wanted to add to his watchlist the .edu and .com domains for which he is the administrator, but that feature wasn't available. In the first sign that something wasn't quite right authentication-wise at Pwnedlist, the system didn't even allow him to validate that he had control of an email address or domain by sending him a verification to said email or domain," said Krebs.

"On the other hand, he found he could monitor any email address he wanted. Turns out that when any Pwnedlist user requests that a new website name be added to his ‘Watchlist', the process for approving that request was fundamentally flawed."

Following the news of the flaw discovery, the service is now in the process of closing down.

"Thank you for being a subscriber and letting us help alert you of any risks related to your personal credentials. Pwnedlist launched in 2012 and quickly became the leader in open-source compromised data aggregation," according to a statement on the website.

"In 2013 Pwnedlist was acquired by InfoArmor, Inc. a provider of enterprise based services. As part of the transition, the Pwnedlist Website has been scheduled for decommission on May 16, 2016."

According to a Tweet by InfoArmor, the breached data that was exposed has “already been compromised” and there was “no loss of PII [personally identifiable information] or subscriber information”.

Richard Cassidy, technical director EMEA at Alert Logic, told SCMagazineUK.com that this specific vulnerability seems to be more of an application coding error in authorisation and authentication practices within the system, rather than a specific exploit in a protocol or OS platform. 

“Naturally one would expect a site that converges vast amounts of data including leaked e-mails and associated passwords, would indeed implement tighter controls on adding domains or e-mail aliases to watch-lists for automated updates, so that only verified sources could access relevant data.

“However; we have to be mindful of the fact that this data is already publically available (if you know where to look) and therefore no data breach is actually occurring – in other words you can't breach data that has already been breached,” he said.

High-Tech Bridge's CEO, Ilia Kolochenko, told SC that parameter tampering is a pretty common type of application logic vulnerability in complicated web applications, such as e-commerce, e-banking or CRM/ERP web portals.

“The only way to fix it is to carefully revise web application logic and implement proper data integrity verification procedures,” he said.