One reason not to use PeoplePC

Stevan Veselinovic — Tue, 09 Sep 2008 02:33:20 GMT

PeoplePC is a great service for those who can not afford a broadband connection, or for those where broadband is currently not available.

I recently discovered a PeoplePC security threat that really should not even exist. The PeoplePC software was built on Python 2.4. Great development language for seasoned devs. who are not quite yet ready for the big change.

This is how this security leak can affect your data:

Access to credit card information
Access to home address (exposure to stalkers and criminals, possible breakins)

How is this data public? What do you mean it's a security leak?

When the PeoplePC Software is installed two directories are created, "PeoplePC", and "PeoplePC Accelerated". On an interval of every 15-30 min a file named output_test-%date%.log is created in the PeoplePC Accelearated / logs directory.

The contents of this log file are as follows:

Log file - Screen shot 1

Notice line 6-2. The private token and userID is displayed. If one were to get a hold of this information they could easily copy this supposedly "encrypted" string, paste it into their browser and submit the request. Now, the home.peoplepc.com website is automatically assuming that since the token already exists, the user can be logged in ... and that's what it does, it logs you in automatically without you having to specify a password of any sort. The default page you are taken to is obviously mail, but one can figure out and hit "Go to web mail", which then gives you a whole set of anew options that allows you to change your account settings, view the home page, and even upgrade the service.

How much of a threat do you think of this now? Here's what I am talking about:

PeoplePC Landing Page

Screen shot 2 shows the default landing when the "automatically" generated key-token is sent through the browser. (No logging in, just direct copy and paste).

Screen shot 3

Screen shot 3 exposes the "My account" and "Upgrade" links. Both fully functional without having to log in!

Screen shot 4

Screen shot 4 .... This is where the magic happens. Check out the notes on the image file. Some pages expose the billing address, last four digits of the credit card # (some more than likely expose the entire number, as well, just haven't had the time to look!).

In conclusion

Don't use PeoplePC unless you feel like letting some hacker get to your personal information and face being stalked, robbed or are OK with credit card theft.

Stevan Veselinovic
Another security leak, this time it isn't mine!

Hey Everyone

Stevan Veselinovic — Mon, 08 Sep 2008 05:43:52 GMT

Finally, I have a blog set up! This one will be permanent. I will be posting articles on encryption, data transfer, working with web clients and more C# and VB based tutorials over the next few weeks, so stay with me as I make this long overdue transition back to blogging.

i'm not crazy

One reason not to use PeoplePC

Hey Everyone