Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

Fri, 31 Mar 2017 10:49:46 -0700 

On 31/03/2017 19:31, tarah.syman...@gmail.com wrote:

On Friday, March 31, 2017 at 9:51:03 AM UTC-7, Jakob Bohm wrote:

Dear Tarah,

Below some friendly speculation as to what the parts that some bloggers
claimed was included (if those claims were somehow true) might have
been (i.e. where *you* might look for it in internal Symantec
systems/records).




Thank you.






Could this be about some other URLs in the (now hopefully closed) RA
interface?  Such as an interface for requesting the QuickInvite URL for
later forwarding to the subscriber?

Perhaps an interface that takes only "known/guessable" parameters, such
as subscriber e-mail or order number?  This would explain the claim
that an URL sent to one subscriber by an incompetent RA could be
edited to retrieve the data for another subscriber.



Nope. That QuickInvite URL was/is hashed and salted. I have personally seen the 
code for generating it. Just editing stuff in that URL without being able to 
crack it wouldn't give any useful information or lead anywhere. Although now 
I'm kinda wanting to create a specific error page for people who try. Nah. It'd 
be funny to me and anyone trying to hack those but the customers wouldn't get 
my jokes, likely. Brute forcing the URL would take too long, which is why I 
agree with the original decision to decrease the URL validity timespan. It 
helps prevent brute force attacks too.



Yep, but there must have been an API (at some level) for generating or
processing the QuickInvite URL.  That was what I was suggesting might
have been the issue.


Also, just was chatting with Chris. I just found out that the reseller in 
question was dropped from our Symantec a while back. Details to follow, but 
suffice to say that they are no longer a problem for us.



Great!

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to