As of Nov 2010, it seems O2 have fixed this

I was happily browsing the internet, and was about to log into my O2 account, when I saw something odd. I decided to investigate further. I have concluded that there is some cause for concern, and that there is a phising vunerability in the O2 login page.

The vunerability is the sendTo parameter:


Upon successful login, the user is redirected to the unchecked URL specified in the sendTo parameter. This makes it easy to play a nice trick.

The trick requires a bit of social engineering, but it is convincing. An email could be sent to an unsuspecting O2 customer, telling them to log into their account at: O2 Account Login

(The link goes to https://www.o2.co.uk/login?ref=acc3439284324324324afffc324324324909934324832&auth=458947598544324c324d32432434349873429f324324d324349343247893294&sendTo=http://www.josephn.net/jokes/o2concept), I added some bogus GET parameters, so the sendTo parameter gets hidden in the address bar on most screen resolutions (URL is wider than the width of the address bar)

Trick the victim

Oh what now, better sign in and take a look. Hmm, can't be a phish, the URL is correct. SSL says it's from O2





WTF!!! Butter fingers, after all these years I still can't type!



O shit

I have sent an e-mail to the O2 customer service regarding this, but I'm still waiting for a reply

Home | Blog | Atmel AVR | Code Dump | Forum | Scrapbook | Room Engine | Circuits | BT Home Hub | Toshiba Libretto | Phone Mods | Projects | Security Systems | Contact | Search

Design, Content and CMS ©2008-2010 Joseph Newman.