O2 router attack shows danger of staying logged in

Concerned about web security? One thing that may prove more valuable than any amount of supposed security software (anti-virus and the like) is the simple good practice of logging out of web sites at the end of each session.

Here’s the reason. Let’s say you are logged into some site – could be Facebook, or Google, or the admin screen on your router, and you’ve left checked the option that says “keep me logged in”. Then you visit some other site. The vast majority of web pages today run JavaScript code in the background, and these scripts execute on your computer, not on the web server. What if one of those scripts sends a request to a site where you are logged in? The request comes from your computer, so it looks like you to the web site. If you are unlucky, the script will be able to perform any action you could perform, but without your awareness – such as changing your password, or reading confidential information.

For this hack to work, a couple of things need to have gone wrong:

1. You are running a malicious script. This implies that the site you are visiting has been hacked, or has a vulnerability such as forum software which allows users to post content that might trigger a script. Even a link to an image in a forum post might be sufficient.

2. The site where you are logged in doesn’t make any additional checks on the source of the script. Although it is running on your computer, the HTTP request generally includes referrer data, revealing the URL of the page from which the script came. By checking this value, the site can figure out that there is something wrong. Another idea is to have unpredictable URLs for sensitive data.

Still, you’ll notice that neither of these things are under your control, whereas generally the option to log out of a site is under your control. Even that might not always be true – a developer could code a site without an option to log out – but that is unusual.

The O2 attack referenced above exploits this flaw to get into your router admin, if you are running an O2-supplied broadband router. It is a huge vulnerability, since if the router is re-configured a wide range of further attacks are possible. One example is DNS poisoning, where familiar URLs might take you to malicious destinations. It could also disable firewall protection and redirect external requests to one of your home or small business PCs – very nasty.

Here’s a couple of things that will improve security:

1. Don’t use the broadband supplier’s equipment, if it is not entirely under your control. Use your own; turn off universal pnp, change the admin password, don’t stay logged into the admin.

2. Don’t stay logged into any site which matters. Even sites which don’t appear to matter can be a security risk, if they expose passwords or security questions that you use elsewhere, for example. Personally I always log out of Facebook, Google and Twitter, for example, even though sites like these should be aware of the risks and be coded appropriately – they mostly are, but mistakes happen.

Unfortunately many sites encourage you to stay logged in, because it reduces the friction of using the site. Still, there are compromises which work. I notice with Amazon for example, that it uses cookies to give you personalized information even when not logged in, but displays password prompts with boring regularity for actions that spend money – though Amazon also advises you to log out completely if using a public or shared computer.

2 thoughts on “O2 router attack shows danger of staying logged in”

  1. Some very good points there, not something I thought of before despite how obvious it should have been. It certainly is something worth thinking about now I am playing with AJAX so that my own scripts do not suffer the problem.

    This is exactly why so called “security software” which blanks out the referrer is doing the OPPOSITE of what its supposed to be doing. Without the referrer its pretty much impossible to know if a request coming in is due to your own site requesting it or something else. Though of course it cannot eliminate someone spoofing the referrer, it does offer a little protection as spoofing would generally require the user to do something rather than be done behind their back.

    There was a similar issue mentioned a long time ago, it might have been on Sky. Basically malicious scripts logging into peoples routers and changing settings due to people keeping the default passwords.

  2. I’m an IT professional ( servicing hardware & basic OS mostly, ya I know, barely qualifies, but it’s work. ) and I had no idea that javascript worked that way.

    Great post just on that tidbit.

Comments are closed.