Customer database leak on CSL Dualcom’s SIM registration portal

CSL Dualcom sell SIMs for M2M purposes. They need to be registered on their website.

This website is http://m2mconnect.csldual.com/SignUp – firstly note how this does not have TLS. This is not excusable in 2015.

On browsing the site, it was noted that the search string was limited to be 3 or more characters using client-side Javascript.

Using the site with Javascript turned off allowed a zero-length search to be submitted. Initially this appeared to cause the request to freeze. However, on waiting ~10 minutes, it became apparent that an empty search had returned every single record from the database – several megabytes of data.

All the companies

Through the UI this just appeared to be company name, town and postcode. However, inspection of the traffic showed that a massive JSON structure had been downloaded, including a company ID, “UniqueCode”, email address and often mobile number.

{“InstallerCompanyID”:”327398f6-431b-4495-8193-96789ecbe2bd”,”CompanyName”:”Minster Alarms”,”ContactName”:”Minster Alarms”,”PostCode”:”YO32 9NQ”,”Town”:”York”,”UniqueCode”:134265,”Accreditation”:”NSI”,”AddressOne”:”Suncliffe House”,”AddressTwo”:”New Lane, Huntington”,”County”:””,”Country”:”UK”,”CountryId”:0,”CurrencyId”:0,”Email”:”info@minsteralarms.co.uk“,”Mobile”:“”}

On clicking the company name, a list of users was returned, including personal email addresses, phone numbers and usernames:

Users

These issues were reported to CSL Dualcom on 1st May. The issues were acknowledged on the 3rd May and fixed on the 4th by limiting the fields available.

During the leak, over 5700 companies details were available. It was confirmed that some of these had never registered SIMs, so it is likely the full CSL customer database.

6 months on, the registration site is still using HTTP.

 

Leave a Reply

Your email will not be published. Name and Email fields are required.