It took close to two months, but free wireless and mobile provider FreedomPop has acknowledged reports of a serious vulnerability in its service.
U.K.-based researcher Paul Moore told Threatpost that FreedomPop, which has been operating in the U.K. since last September, finally responded to a bug report that Moore had sent twice since March 24, in addition to an email to its chief technology officer and numerous attempts over Twitter.
Moore on Monday published a blog post explaining the critical nature of the vulnerabilities in FreedomPop and how they can be combined with unrelated bugs on the Halifax bank website to put customers’ accounts at risk.
Moore said that Halifax and the Lloyd’s Banking Group verified his exploit and promised a fix within a three-to-four-week timeframe.
“Both are very simple both to find and fix,” Moore said. “The FreedomPop vuln is very serious, even without the Halifax… but in reverse, the Halifax vuln is potentially serious, especially when combined with exploits which undermine their method of anti-fraud verification.”
Since neither issue has been patched, Moore declined to share details. A request for comment from FreedomPop was not returned. FreedomPop replied a short time ago:
“We have not been able to confirm any of Mr. Moore’s claims as his post provides no details and he has not responded to repeated requests for details,” a representative told Threatpost, a claim that Moore denies. A timeline published on his blog shows the dates he said he messaged FreedomPop. “We believe we have security measures in place to combat his theoretical claim, and we have no reported incidents to date. Until he provides details or examples, there is nothing we can respond to at this time.”
FreedomPop, Moore said, has more than a million U.K. users and most take advantage of the company’s free offerings, which include free calls, texts and data plan. Given that many online banking services use mobile as a second form of authentication in the form of a one-time password sent over SMS, or as a fallback number in case of a forgotten credential, the combination of the FreedomPop issue with that of Halifax bank is worrisome, Moore said.
“It is currently possible to remotely hijack any FreedomPop account, allowing both calls and messages to be made/intercepted by an attacker,” Moore wrote on Monday. “No usernames, no passwords and no SIM swapping… just unfettered access to a user’s communications.”
Given that an attacker would have access to everything from contacts to SMS messages, Moore said it’s not a difficult leap to monetize his attack via the vulnerability on the Halifax website.
“A serious (yet remarkably simple) vulnerability in the Halifax site allows an attacker to execute arbitrary and external scripts,” he wrote. “This gives the attacker complete control over the victim’s environment; changing links, buttons, text and crucially… perform actions as if they’re the genuine user.”
Moore provided an example of how an attacker could use the Halifax bug to create a phony section on the Halifax website, enticing customers to enter personal information.
Halifax initially downplayed the severity of the bug, saying that safeguards in place such as adding and verifying new payees via a mobile number mitigate those concerns. However, if an attacker controls the victim’s mobile FreedomPop account associated with his online banking, they would be able to bypass such an antifraud measure.
[Halifax’s] failure to adopt even the most basic of safeguards means it’s possible to fire both exploits simultaneously and directly on Halifax’s own site.,” Moore wrote. “To make matters worse, the exploit takes place on the user’s device; effectively shielding the attacker from the vast majority of anti-fraud checks.”
Moore was equally as harsh on FreedomPop’s lack of response.
“It certainly doesn’t reflect well on FreedomPop’s ability to safeguard information… and I given the quantity and severity, I’d question if a security audit has taken place at all,” Moore said.
This article was updated on May 3 with a comment from FreedomPop.