PeoplePC is a great service for those who can not afford a broadband connection, or for those where broadband is currently not available.
I recently discovered a PeoplePC security threat that really should not even exist. The PeoplePC software was built on Python 2.4. Great development language for seasoned devs. who are not quite yet ready for the big change.
This is how this security leak can affect your data:
- Access to credit card information
- Access to home address (exposure to stalkers and criminals, possible breakins)
How is this data public? What do you mean it's a security leak?
When the PeoplePC Software is installed two directories are created, "PeoplePC", and "PeoplePC Accelerated". On an interval of every 15-30 min a file named output_test-%date%.log is created in the PeoplePC Accelearated / logs directory.
The contents of this log file are as follows:
Log file - Screen shot 1
Notice line 6-2. The private token and userID is displayed. If one were to get a hold of this information they could easily copy this supposedly "encrypted" string, paste it into their browser and submit the request. Now, the home.peoplepc.com website is automatically assuming that since the token already exists, the user can be logged in ... and that's what it does, it logs you in automatically without you having to specify a password of any sort. The default page you are taken to is obviously mail, but one can figure out and hit "Go to web mail", which then gives you a whole set of anew options that allows you to change your account settings, view the home page, and even upgrade the service.
How much of a threat do you think of this now? Here's what I am talking about:
PeoplePC Landing Page
Screen shot 2 shows the default landing when the "automatically" generated key-token is sent through the browser. (No logging in, just direct copy and paste).
Screen shot 3
Screen shot 3 exposes the "My account" and "Upgrade" links. Both fully functional without having to log in!
Screen shot 4
Screen shot 4 .... This is where the magic happens. Check out the notes on the image file. Some pages expose the billing address, last four digits of the credit card # (some more than likely expose the entire number, as well, just haven't had the time to look!).
In conclusion
Don't use PeoplePC unless you feel like letting some hacker get to your personal information and face being stalked, robbed or are OK with credit card theft.
Stevan Veselinovic
Another security leak, this time it isn't mine!