PwnedList, an online service that allows subscribers to monitor whether their credentials have been leaked in data breaches, said on Thursday that its decision to shut down has nothing to do with a serious vulnerability that exposed its collection of 866 million compromised credentials.
“The site was scheduled for decommission a while back. Due to various reasons, it was decided to keep it up for a bit longer, but the date was set long before this event took place,” said Byron Rashed, senior director of marketing for InfoArmor, the company that acquired PwnedList in 2013. “The decommission date of the PwnedList site was to coincide with the release of the new corporate website which you will see up shortly, that decision took place when that project started around three months ago.”
Shortly after the flaw was fixed and details publicly disclosed by journalist Brian Krebs, visitors to PwnedList.com were greeted with a message informing them that the site will shut down May 16. Rashed said that the data accumulated by PwnedList will be integrated into fee-based service offerings.
The flaw, known as parameter tampering, was disclosed to Krebs by researcher Bob Hodges. Hodges told Threatpost that the issue was “very serious” and that an attacker who had access to the breached credential database owned by PwnedList could use that information to launch attacks.
“For example, say a malicious hacker wanted to gain access to a corporate email server. The attacker would pull up a report from PwnedList for that company’s domain which could contain 10,000-plus user credentials depending on the company’s size,” Hodges said. “The attacker would then use a script or utility to try and authenticate each set of credentials using the company’s public-facing email server. If one or more accounts successfully authenticate, the attacker gains a foothold. This is just one example, similar attacks could be used to access VPN appliances, web servers, etc.”
Hodges and InfoArmor’s Rashed clarified that the credential data gathered by PwnedList came from publicly available online data and does not include personally indentifiable information or unreleased credentials. No subscriber or corporate data was exposed, Rashed said.
Hodges explained that the vulnerability was in PwnedList’s watchlist feature, a list of credentials the subscriber wants PwnedList to monitor.
“When you submit an email address to the watchlist, you are presented with a confirmation page. As long as you’ve submitted a valid email address, you’ll find a hidden parameter called ‘identifierstoadd.’ That parameter contains the email address submitted and a number value. By intercepting the form POST request and changing the values, any domain could be added to the watchlist,” Hodges said. “Within 24 hours, a report will be generated listing all breached credentials or hashes for all users in the specified domain going back five or six years. As you can imagine, a report for a domain like gmail.com would be very large.”
Hodges said that prior to PwnedList’s fix, the service did not verify users’ email accounts.
“Pwnedlist has a ‘verified’ column on the watchlist, but they no longer confirm ownership of email addresses or domains. Back in 2013, they used to verify email addresses by sending a confirmation email to the address added to the watchlist, but this is no longer the case or email addresses or domains,” Hodges said, adding that exploiting this weakness was simple. “I used the intercept feature in the tool Burp Suite to capture, view, and modify the POST parameters, but it could have been done in many ways.”
InfoArmor said the issue was patched quickly before public disclosure of the issue, and said the attack scenario was not a common use of the service.
“This was not a major vulnerability, many sites have similar vulnerabilities and it is quite common. In fact, the patch was applied immediately and before the [Krebs] story broke,” Rashed said. “It has been thoroughly tested to ensure the issue was resolved. The process that was undertaken to ‘expose’ this vulnerability was fairly extensive, it was not easy to do or ever done before. We have no other subscriber who ever attempted to do this or added any domain to their own watch list.”
Hodges, meanwhile, said he’ll be switching to <https://haveibeenpwned.com/>, a similar service maintained by researcher Troy Hunt.
“I’ve been using their service to monitor my personal email addresses,” Hodges said of the PwnedList closing. “And I’m bummed about them closing.”