14 DAY TRIAL // A researcher claims he found two possible security issues stemming from the way the latest version of Bitdefender Internet Security interacts with the MyBitdefender web console, allowing disclosure of the user’s log-in password for the account.
MyBitdefender is an online dashboard where a user can check the current protection status of all Bitdefender installations associated with their account, for both desktop and mobile devices.
Depending on the product, there are options for localizing stolen devices and locking them up, managing data backups or setting up parental restrictions.
Passwords can be discovered from MD5 hashes
In a blog post published on Wednesday, the researcher, who goes by the name of Jerold, describes two methods he used, one for reversing password hashes and one for brute-forcing one’s way into the account.
By checking communication between the antivirus product and the online administration console, he noticed that the MD5 hash of the password was available in the link.
The MD5 cryptographic hash function has the purpose of generating the same fixed-size output from specific content, without offering the possibility to reverse the process.
Since the same data will generate the same output, someone can use a dictionary with passwords and calculate the hashes for each of them until a match for the target value is found, thus revealing the original input.
Unless the password is strong enough, relying on MD5 is not a particularly safe way to protect the data.
Connection is encrypted with TLS 1.2
However, Bitdefender encrypts the connection to its MyBitdefender portal so that, even if it is intercepted in transit, it is not readable and an attacker would not have any use for it.
“We have looked into the described issue and we were unable to reproduce it. The communication between clients (be they browsers or Bitdefender products) and the my.bitdefender.com service is done via TLS v1.2. There is no way an attacker could intercept the conversation and decrypt it to get the hashed password in transit,” said Bogan Botezatu, Bitdefender senior threat analyst.
Decrypting secure traffic from a client to a server is possible, though, if the computer has been compromised by malware that hooks into the browser, in what is called a man-in-the-browser (MitB) attack.
Through MitB, a threat actor has direct access to the information in the browser memory, where it is not encrypted, and they can manipulate the traffic to serve the victim content purporting to be legitimate, without raising any suspicion.
Botezatu stresses the fact that Jerold provided traffic example that had been extracted from the browser, where data was readily available in the clear. “Once again, this capture has not been taken in transit, but directly from within the browser,” he said via email.
The second issue exposed by Jerold refers to the possibility of a brute-force attack on the log-in page of MyBitdefender, which also features a secure connection.
The researcher points out that there is no limitation for the number of failed log-in attempts, which would suggest that the log-in mechanism can be subjected to brute-force abuse, provided that the attacker already knows the username of the victim.
According to Botezatu, Bitdefender has a protection mechanism in place that “throttles and even blocks temporarily” failed authentication attempts coming from the same IP address.