Home page logo

fulldisclosure logo Full Disclosure mailing list archives

FON (fon.com) - Crappy security policy part II
From: Anonymous via the Cypherpunks Tonga Remailer <nobody () cypherpunks to>
Date: Sun, 1 Oct 2006 19:05:13 +0200 (CEST)

FON (www.fon.com) is some semi-free wifi service. Members contribute
their connection and allow other FON users to use their connections
for free or small money (depends, the users have to contribute their
connection to get free access).

Although the users have to identify at the hotspot, we have

problem #1:
The police would'nt care that you share your internet connection when
they find your IP in some logs related to hacking, copyright issues,
child porn or whatever. They will first confiscate your equipment and
ask then.

problem #2:
It is or was possible to steal anyone's credentials:

problem #3:
At the time, when I realized the existance of FON, it was possible to
register with fake e-mail addresses, because they had a lame
verification mechanism (something like
http://fon.com/verify.php?email=president () whitehouse gov). I
successfully registered dozens of fake accounts that way and all these
accounts still work. At least that hole has been fixed in the

However. Although problem #2 has been made public, no "please set a
new password" requests have been sent to the subscribers. Although
they seem to know that they had problem #3 (otherwise they would'nt
have fixed it), they did no approach to *verify* their user identies
(my "regular" FON account has not been verified and my fake accounts
still work).

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • FON (fon.com) - Crappy security policy part II Anonymous via the Cypherpunks Tonga Remailer (Oct 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]