Callwave.com's customer service automated termination service is vulnerable to caller-ID authentication spoofing, enabling arbitrary termination of customer accounts.
171555055c098024d7fb30eb1ea9a57dc49c2128b9f5392a611a4f04e6da62e5
Secure Science Corporation Advisory TSA-052
https://www.securescience.net
e-response@securescience.net
877-570-0455
---------------------------------------------------------
Callwave.com customer service automated termination service is
vulnerable to caller-ID authentication spoofing, enabling arbitrary
termination of customer accounts.
---------------------------------------------------------------------
Vulnerability Classification: Authentication bypass, Denial of Service,
Misplaced trust.
Discovery Date: October 25, 2004
Vendor Contacted: October 25, 2004
Advisory publication date: November 3rd, 2004
Vendor Description:
-------------------
CallWave's easy-to-install software helps consumers and businesses get more
out of their wireless phone, home phone, and Internet-connected PC by 'bridging'
calls between these devices. Millions of households and small businesses have
installed CallWave to get important calls instantly no matter where they are,
receive faxes on their PC, and even screen out unwanted calls all without
purchasing or installing additional hardware.
Abstract:
---------
Callwave.com grant implicit trust to service subscribers Caller-ID input for
customers to terminate their accounts via the automated termination service 800
number. Caller-ID spoofing allows forgery of a calling number to the target
number. When spoofing a subscriber number while calling the automated 800
service, the target depends solely on the CID for authentication and grants
termination of the customer account associated with the specific number spoofed.
Description:
------------
During recent explorations with telephone bridging software, we signed up for
the callwave service temporarily. The process to cancel the service when
requested directed us to call an automated 800 service from your subscription
number. Forging the caller-id and calling the 800 service number enabled the
termination
request to be successful.
It is untested whether CID/CPN spoofing impacts other features of callwave at
this time.
Tested Vendors:
---------------
Callwave.com
Vendor and Patch Information:
-----------------------------
Secure Science Corporation has made attempts to contact the vendor with no
response.
Solution:
---------
Add 2-factor authentication (passcode requirement) by default and cease implicit
trust of Caller-ID information. Alternatively use ANI with 8xx numbers.
Credits:
--------
Secure Science Corporation: Lance James
Disclaimer:
-----------
Secure Science Corporation is not responsible for the misuse of any of the
information we provide on this website and/or through our security advisories.
Our advisories are a service to our customers intended to promote secure
installation and use of Secure Science Corporation products.