The Pitfalls of Demo Accounts for Web Applications: Seller Beware!
Posted on Mon, Jan 11, 2010 @ 01:44 PM
Authored by Robert Gorski, Sr. Security Consultant at Pivot Point Security.
Do you provide a demo login account to your web application product? You may be exposing your customers' data to anyone who wanders in.
It is often the case that when a demo account for a web application is created, it is created in the same fashion as a normal user account. The only difference might be that a scheduled job of some sort occasionally deletes any new information created in the account, and resets any settings back to some default.
On a recent engagement, we were tasked with evaluating a web application that allows our client's customers to manage communication with their contact lists. The contact functionality allows the user to create a mail-merge document including any of the saved fields for their contact. During the creation of one of these mail-merge documents, it is possible to preview the finished product with real contact information.
While examining this particular piece of the software, we discovered an Insecure Direct Object Reference vulnerability. In this case, changing a key value in the URL changed the data in the mail-merge preview. It did not take long to notice that we were getting real information from some of the random identifiers we were trying, including full names, email addresses, mobile phone numbers, and physical addresses.
Our client's demo site used the same data store as the production site, and the one error we found in their application was putting the personal information of potentially thousands of people at risk. Anyone could have created that mail-merge document and started harvesting contact information.
Maintaining a data store for your demo site that is completely separate from your production data is a key factor in maintaining the overall security of your customers' data. Even if you have a third-party attestation to the security of your product, you might have a well-coded and secure application today, but new vulnerabilities are found all the time, and the person who finds yours tomorrow might not be an ethical hacker!