A serious vulnerability found in PwnedList could have been exploited to gain access to millions of account credentials collected by the service.
PwnedList was launched in 2011 as a service designed to allow users to check if their accounts have been compromised. InfoArmor acquired PwnedList in 2013 and a few months later it started using it to power a new solution called Vendor Security Monitoring, which alerts organizations when one of their third-party vendors suffers a security breach.
Security researcher Bob Hodges had been trying to add the .edu and .com domains he manages to his PwnedList watchlist when he discovered a serious flaw that allowed him to monitor any domain.
Users have to go through an approval process when they want to add a domain or email address to their watchlist. However, a parameter tampering vulnerability allowed Hodges to add any domain that he wanted.
The problem was that in the two-step process of adding a new element to the watchlist, the second step did not take into account the information submitted in the first step, allowing an attacker to submit arbitrary data by tampering with the request.
Hodges notified security blogger Brian Krebs, who tested the issue by adding the Apple.com domain to his watchlist. In less than 12 hours, Krebs received a downloadable report containing over 100,000 usernames and passwords associated with apple.com accounts.
An attacker with an active PwnedList account could have exploited the vulnerability to add the domain of any major company, or domains such as gmail.com, which would have generated a list of all compromised Gmail accounts. According to the PwnedList website, the service covers over 866 million account credentials from 101,000 leaks.
Krebs had been in touch with InfoArmor while he conducted his tests. The company initially doubted Hodges’ findings, but once the issue was confirmed, the PwnedList website was taken offline and the flaw was patched.
“In reference to the PwnedList credentials tool, the data that is in question contains no PII that can result in a compromise due to the fact that this data has already been exposed. The PwnedList Website is a legacy site from the PwnedList acquisition in 2013. Since last year, the free consumer monitoring service has been scheduled to be decommissioned by May 15, 2016. The data that was ‘exposed’ has already been ‘compromised’ – there was no loss of PII or subscriber data,” InfoArmor told SecurityWeek.
“InfoArmor values our PwnedList individual subscribers and will be offering them the opportunity to continue their relationship with InfoArmor by enrolling in our comprehensive identity monitoring product, PrivacyArmor,” the company stated.