A flaw in the PwnedList service exposed millions of credentials

Share this…

A serious expert discovered a flaw in PwnedList service that could have been exploited to access millions of account credentials managed by the service.

A serious vulnerability found in the PwnedList could have been exploited by hackers to gain access to millions of account credentials collected by the service.

The service PwnedList allow users to check if their accounts have been compromised, now a serious vulnerability could expose millions of account credentials collected by the service.

The PwnedList was launched in 2011 and acquired by the InfoArmor firm in 2013, the company used it to offer a new monitoring service to its business clients.

InfoArmor integrated the solution in the Vendor Security Monitoring platform.

The security expert Bob Hodges discovered a serious flaw in the service, he was trying to monitor .edu and .com domains when discovered a security issue that allowed him to monitor any domain.

Every time a user wants to monitor a new domain or a specific email address needs to insert it in platform watchlist and he has to wait for the approval of the service administrators.

Hodges discovered that the lack of input validation could allow an attacker to manipulate a parameter to add any domain to the watchlist.

The issue affects the two-step process implemented by the PwnedList service to add new elements to the watchlist. The expert discovered that the second step did not consider the information submitted in the first step, allowing an attacker to submit arbitrary data by tampering with the request.

Hodges reported the issue to the popular security investigator Brian Krebs who confirmed the existence of the problem.

“Last week, I learned about a vulnerability that exposed all 866 million account credentials harvested by pwnedlist.com, a service designed to help companies track public password breaches that may create security problems for their users.” wrote Krebs in his blog post.

Krebs added the Apple.com domain to his watchlist and in just 12 hours he was able to access over 100,000 Apple account credentials.

“Less than 12 hours after InfoArmor revived my dormant account, I received an automated email alert from the Pwnedlist telling me I had new results for Apple.com. In fact, the report I was then able to download included more than 100,000 usernames and passwords for accounts ending in apple.com. The data was available in plain text, and downloadable as a spreadsheet.”

PwnedList watchlist Brian Krebs

An attacker could abuse the service to gather information to target a specific organization and gather its account credentials.

Krebs reported the issue to InfoArmor that after initial concerns it has admitted the problem.

The operators of the PwnedList website temporary shut down the service in order to fix the problem.