SUFC Online Ticket system security

All advertisments are hidden for logged in members, why not log in/register?


Jim is a good egg. He will have this sorted by lunch-time tomorrow, or heads will roll.

HH
 
Highbury_Blade said:
Also incidentally, the guy that runs that Site - Troy Hunt - is reasonably popular in the online security world. I am tempted to contact him if the club doesn't sort this out.
Click to expand...

Hi, only just seen this thread and it got my attention! Can I ask is this just about the insecure storage of passwords for the site (bad enough in itself) or is it also about insecure storing of card details? Apologies if you already said but I have tried looking back thru all the posts and didn't see anything. I have sometimes had my worries when using the online ticketing system- the site does seem to play up sometimes. Think the talent.co.uk bit that they link to for the ticketing is used by all the football league clubs isn't it? Cheers, some great detective work there on your part HB!
 
WincobankBlade said:
Hi, only just seen this thread and it got my attention! Can I ask is this just about the insecure storage of passwords for the site (bad enough in itself) or is it also about insecure storing of card details? Apologies if you already said but I have tried looking back thru all the posts and didn't see anything. I have sometimes had my worries when using the online ticketing system- the site does seem to play up sometimes. Think the talent.co.uk bit that they link to for the ticketing is used by all the football league clubs isn't it? Cheers, some great detective work there on your part HB!
Click to expand...


It's passwords. But given that the security isn't great on them, who knows what else they could be doing? As far as i know, they don't store card details.

The provider they use is used by a number of football leagues and premier clubs, but not all of them have this vulnerability.
 
Can't log on at the moment. If I can't get a ticket today, I won't bother tomorrow when the price goes up.
 
Highbury_Blade said:
It's passwords. But given that the security isn't great on them, who knows what else they could be doing? As far as i know, they don't store card details.

The provider they use is used by a number of football leagues and premier clubs, but not all of them have this vulnerability.
Click to expand...

cheers for that. Like I think you've said earlier, I always use different passwords for every site in case one ever gets compromised.
 
Jon Bon said:
Can't log on at the moment. If I can't get a ticket today, I won't bother tomorrow when the price goes up.
Click to expand...
I just logged on ok so the site is up. Might be worth emailing them, I once had a problem logging on and they responded to an email and fixed it quite quickly.
 
Foxy do you know if Phipps is going to be there tonight? Might collar him about this issue.

There's also this issue. When recovering a password websites should never tell you whether those account details are valid or not, otherwise the website is vulnerable to an email enumeration attack. This means that the attacker could just get a long list of emails, and automatically post them to the same url that the website uses. If the site responds with an invalid request then the attacker knows the email address is not in use and can be discarded. The website should respond in exactly the same way regardless of whether or not the email is registered.

Screen Shot 2015-10-24 at 09.28.05.png


Another website I know of also does the same thing :)

Screen Shot 2015-10-24 at 09.32.03.png
 
Fucking hell, just found another couple of vulnerabilities, both enabling the same Email Enumeration attack.

Screen Shot 2015-10-24 at 09.38.05.png Screen Shot 2015-10-24 at 09.38.19.png

A login form should simply say Details are invalid whenever an incorrect password/username is entered. It should NEVER divulge any information as to whether it was the password or the username that was incorrect.

As i say, if an attacker has a big list of emails then all they have to do is spam the website looking for responses as to whether the email address exists or not. Once they've got a valid email address then they can then spam the website attempting to login using a list of commonly used passwords which no doubt some people will use.

They don't even need a list of email addresses, given that you can log in with a customer number which is just an integer.

That could be stopped if the website rate limited logins, but given the lax security elsewhere i'm guessing they don't.

Also. the requirements for password protection are laughable. Only 4 characters, no mixed casing, no non-alpahnumeric characters.


This isn't Sheffield United's software, it's provided by a third party, but I've raised this multiple times with the club, so it is their fault for not following it up.

Maybe i'll have a word with someone tonight :)
 
Highbury_Blade said:
Fucking hell, just found another couple of vulnerabilities, both enabling the same Email Enumeration attack.

View attachment 14157 View attachment 14158

A login form should simply say Details are invalid whenever an incorrect password/username is entered. It should NEVER divulge any information as to whether it was the password or the username that was incorrect.

As i say, if an attacker has a big list of emails then all they have to do is spam the website looking for responses as to whether the email address exists or not. Once they've got a valid email address then they can then spam the website attempting to login using a list of commonly used passwords which no doubt some people will use.

They don't even need a list of email addresses, given that you can log in with a customer number which is just an integer.

That could be stopped if the website rate limited logins, but given the lax security elsewhere i'm guessing they don't.

Also. the requirements for password protection are laughable. Only 4 characters, no mixed casing, no non-alpahnumeric characters.


This isn't Sheffield United's software, it's provided by a third party, but I've raised this multiple times with the club, so it is their fault for not following it up.

Maybe i'll have a word with someone tonight :)
Click to expand...

The website is a template used by most clubs.

Basically it's been contracted out to cowboys.

I imagine you're not getting a response bc literally no-one knows what you're talking about. This isn't a criticism of anyone, just a fact of ICT life.

You'd need to get through to someone in a high level position capable of understanding the issues involved and doing something about it.

But given that we're handing over control of nuclear power plants to the Chinese maybe there's no-one in the country with both the authority and the understanding to address this issue. Given what Stuxnet did isn't this, eventually, national and cultural suicide? Or not?
 
William Henry Foulkes said:
The website is a template used by most clubs.

Basically it's been contracted out to cowboys.

I imagine you're not getting a response bc literally no-one knows what you're talking about. This isn't a criticism of anyone, just a fact of ICT life.

You'd need to get through to someone in a high level position capable of understanding the issues involved and doing something about it.

But given that we're handing over control of nuclear power plants to the Chinese maybe there's no-one in the country with both the authority and the understanding to address this issue. Given what Stuxnet did isn't this, eventually, national and cultural suicide? Or not?
Click to expand...


The ticketing system is a separate system from the website itself.

Phipps did get back to me on Facebook, but heard nothing since.

Everton are using the same system as us and they're vulnerable too. Liverpool use the same company but a different system which doesn't have the same vulnerabilities.
 
William Henry Foulkes said:
someone in a high level position capable of understanding the issues involved
Click to expand...
Pull the other one. I work in IT, these people are as rare as rocking horse shit.

Given the shoddy nature of what Highbury_Blade has highlighted, there aren't even any loss level people involved that understand this, never mind high level...
 
Highbury_Blade said:
The ticketing system is a separate system from the website itself.

Phipps did get back to me on Facebook, but heard nothing since.

Everton are using the same system as us and they're vulnerable too. Liverpool use the same company but a different system which doesn't have the same vulnerabilities.
Click to expand...
Excellent work Highbury. I don't usually post outside general blades chat, but this is something I've both had trouble with in the past and also understand, as you do. As far as security systems go, on a seperate interface from the original site, it is incredibly easy for a hacker to gain access in any which way they fancied.

I had my account compromised a while back, although I wasn't convinced at the time it was an attack as such, or even an intended compromise. There were games in my purchase history that I knew I had not attended, with seats I definitely had never sat in before. I was appreciative of the increase in loyalty points, mind.

Initially I wondered if someone had rang through to book with the same surname and the phone operator had mistakenly updated the wrong account. Then I checked to make sure my card details hadn't been used to make these purchases, as obviously if it hadn't I would know it would have been a mistake via the telephone system, and if it had I knew someone was getting a few free matches at my expense. It transpired the money had come off my card and I had to quickly regain access, as well as block and change my card details in case they had retained them in any way.

Not your usual hacker but there you go. Anyway, long story short, the system is not fit for purpose, and actions needs to be taken whether it be from SUFC or the individual host website operators. It's an amateur practice arena for even the most basic of cyber attacks.
 
Last edited by a moderator:

barnyblade i'm drinking at the moment, but I'll pm you tomorrow. Need to get as much evidence together as possible to take this to the club and shame them into putting funds into getting the system upgraded.

The club could afford it but instead choose to to spend money on reserve players wages instead.
 
Highbury_Blade said:
barnyblade i'm drinking at the moment, but I'll pm you tomorrow. Need to get as much evidence together as possible to take this to the club and shame them into putting funds into getting the system upgraded.

The club could afford it but instead choose to to spend money on reserve players wages instead.
Click to expand...
I've just realised this is in general blades chat, woops not sure why I thought otherwise.

How do you plan on taking this to the club out of interest? I seem to remember Phipps acknowledging the problem on facebook a while ago, swiftly followed by zero attempt to sort it.

Was it you that raised it with him? Can't remember now.
 
barnyblade said:
I've just realised this is in general blades chat, woops not sure why I thought otherwise.

How do you plan on taking this to the club out of interest? I seem to remember Phipps acknowledging the problem on facebook a while ago, swiftly followed by zero attempt to sort it. Was it you that raised it with him? Can't remember now.
Click to expand...

Yeah that was me. I'm at the dinner thing tonight. I might mention it if I'm not too pissed :)

Otherwise I'll be writing about it online. Might do a series on other clubs as well.
 
Highbury_Blade said:
Maybe i'll have a word with someone tonight :)
Click to expand...

I don't think anyone will be in attendance that will be able to do anything/in a position to understand. Will bring it up again with the relevant people myself this week.

Other steps are in place here to alleviate such an issue as described above.
 
Foxy said:
I don't think anyone will be in attendance that will be able to do anything/in a position to understand. Will bring it up again with the relevant people myself this week.

Other steps are in place here to alleviate such an issue as described above.
Click to expand...


I'm only winding you up :)
 
Update: I had a chat with Mal Brannigan about it earlier today, and the software company have responded to my complaint and said they will get the Plain Text password issue sorted. I've passed on the list of other holes that i've found, so hopefully they will get fixed as well.
 
WincobankBlade said:
sort of on a par with how a major ISP operates then - Talktalk say they don't even know what customer details are encrypted and what aren't.
Click to expand...

There's absolutely no way they don't know. It's not like it's a magical thing that sorts itself.
 

Foxy said:
There's absolutely no way they don't know. It's not like it's a magical thing that sorts itself.
Click to expand...
I know. I suspect they have found customer info stored, possibly unencrypted, on the actual web server in the DMZ, where it should not have been stored, because they said the back end systems were not accessed.
 
You must log in or register to reply here.

Similar threads

T
2025 Season Ticket Dowload
Replies
28
Views
2K
Blademan89
Blademan89
CornwallBlade
Thanks SUFC!
Replies
0
Views
575
CornwallBlade
CornwallBlade
C
Statistics Intermediate Team late 70s Early 80s
Replies
2
Views
385
chimpchoker
C
toledo
The Star Online
Replies
4
Views
855
SwissBlade
SwissBlade
5tannington Blade
Anyone can't go Friday night and want some loyalty points?
Replies
5
Views
874
5tannington Blade
5tannington Blade

All advertisments are hidden for logged in members, why not log in/register?

All advertisments are hidden for logged in members, why not log in/register?

Back
Top Bottom