Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Millions of Credentials Exposed by PwnedList Flaw

A serious vulnerability found in PwnedList could have been exploited to gain access to millions of account credentials collected by the service.

A serious vulnerability found in PwnedList could have been exploited to gain access to millions of account credentials collected by the service.

PwnedList was launched in 2011 as a service designed to allow users to check if their accounts have been compromised. InfoArmor acquired PwnedList in 2013 and a few months later it started using it to power a new solution called Vendor Security Monitoring, which alerts organizations when one of their third-party vendors suffers a security breach.

Security researcher Bob Hodges had been trying to add the .edu and .com domains he manages to his PwnedList watchlist when he discovered a serious flaw that allowed him to monitor any domain.

Users have to go through an approval process when they want to add a domain or email address to their watchlist. However, a parameter tampering vulnerability allowed Hodges to add any domain that he wanted.

The problem was that in the two-step process of adding a new element to the watchlist, the second step did not take into account the information submitted in the first step, allowing an attacker to submit arbitrary data by tampering with the request.

Hodges notified security blogger Brian Krebs, who tested the issue by adding the Apple.com domain to his watchlist. In less than 12 hours, Krebs received a downloadable report containing over 100,000 usernames and passwords associated with apple.com accounts.

An attacker with an active PwnedList account could have exploited the vulnerability to add the domain of any major company, or domains such as gmail.com, which would have generated a list of all compromised Gmail accounts. According to the PwnedList website, the service covers over 866 million account credentials from 101,000 leaks.

Krebs had been in touch with InfoArmor while he conducted his tests. The company initially doubted Hodges’ findings, but once the issue was confirmed, the PwnedList website was taken offline and the flaw was patched.

Advertisement. Scroll to continue reading.

“In reference to the PwnedList credentials tool, the data that is in question contains no PII that can result in a compromise due to the fact that this data has already been exposed. The PwnedList Website is a legacy site from the PwnedList acquisition in 2013. Since last year, the free consumer monitoring service has been scheduled to be decommissioned by May 15, 2016. The data that was ‘exposed’ has already been ‘compromised’ – there was no loss of PII or subscriber data,” InfoArmor told SecurityWeek.

“InfoArmor values our PwnedList individual subscribers and will be offering them the opportunity to continue their relationship with InfoArmor by enrolling in our comprehensive identity monitoring product, PrivacyArmor,” the company stated.

Related: 7 Million Impacted by Lifeboat Minecraft Community Breach

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.