SIK-2016-054


Title:

Internal Testing URLs in Avast Password Manager

Report ID

SIK-2016-054

Summary:

  • Vendor: AVAST Software
  • Product: Avast Passwords
  • Affected Version: 1.4.1
  • Severity: Low
  • Short summary:
    The app contains URLs to internal testing servers at AVAST that are openly accessible over the Interbet. While these URLs are never used, they give an attacker additional insights into the structure of the AVAST backend and allow him to attack untested and unfinished server code.

Details:

The app contains string constants not only for the service URLs that actively used to process login requests or synchronize the user’s password database, but also service URLs that are, according to their names, intended for internal testing purposes. These additional URLs are never used inside the app, but offer an attacker additional insights into the structure of the Avast backend.

"http://maidtest2.ff.avast.com";
"http://maidtest.ff.avast.com";
"http://thor-dev.ff.avast.com:8080";
"http://thor-test.ff.avast.com";
"http://streamback-test.ff.avast.com:80";
"http://lon23.ff.avast.com:80";
"http://streamback-sandbox.ff.avast.com:80";
"http://analytics-stage.ff.avast.com";
"http://analytics-dev.ff.avast.com";
"auth-test.ff.avast.com";
`

Some of these servers are available to the Internet, such as “maidtest2”. When crawling some of the testing URLs, one can find additional test servers such as “cdn-simulator”.

While making internal testing URLs available and known to adversaries is not a security risk on its own, it makes attacks on the backend easier. If these services are not only reachable from internal, trusted networks, but from the internet (which is the case, e.g., for “maidtest2”), attackers can freely interact with them. An attacker could, for instance, inspect testing web services in the hope that they contain more security vulnerabilities and have not been tested and hardened in the same rigorous way as their productive counterparts. Alternatively, he could manipulate the app such that it uses the testing service instead of the productive one and check whether this yields additional insights into the structure of the app and the backend.

Workaround

Not applicable.

Suggested Mitigation

Any material shipped to end-users, including documentation and software, should not contain any pointers to internal resources that are not strictly necessary for the normal operation of the software. This reduces the information readily available to an attacker who wants to attack the backend and makes it harder to find suitable starting points for the attack. Especially testing services, which might not be as mature and secure as their productive counterparts, should not be exposed to the Internet, but should only be available to trusted internal networks. If testing must be conducted with external parties, additional authentication should be employed to prevent unauthorized access to the testing systems.

Timeline

  • 2016-11-21 Vulnerability Reported
  • 2017-02-15 Still working on a solution
  • 2017-05-18 Vulnerability fixed