search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Aptexx Resident Anywhere exposes sensitive account information

Vulnerability Note VU#595884

Original Release Date: 2015-06-08 | Last Revised: 2015-07-01

Overview

Aptexx Resident Anywhere does not require authentication to view and modify sensitive information contained in direct account and payment URLs, which can be leveraged to bypass authentication and access user accounts.

Description

CWE-288: Authentication Bypass Using an Alternate Path or Channel - CVE-2014-4882

Aptexx Resident Anywhere, an online payment processing and maintenance request handling service for property managers, does not require authentication to view and modify the account information of its users. Anyone with knowledge of a direct account URL or the ability to guess one can gain account access, bypassing authentication. Account access enables a user to view and modify account data and to submit payments and requests.

Impact

A remote, unauthenticated attacker with access to a specific URL can acquire the last four digits of any stored payment account numbers, as well as the name, address, email address, phone number, and payment history of the victim user. The attacker can modify or remove account information, set a new password, and submit fraudulent maintenance requests and payments using stored payment methods.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Until this vulnerability is addressed, Aptexx users should consider the following workaround:

Do not store sensitive information

Do not store sensitive information, specifically payment (credit/debit card or bank account) information with Aptexx until this vulnerability has been resolved. Current users should consider removing sensitive information from their Aptexx accounts.

Vendor Information

595884
 
Affected   Unknown   Unaffected

Aptexx

Notified:  August 28, 2014 Updated:  July 01, 2015

Statement Date:   June 30, 2015

Status

  Affected

Vendor Statement

Aptexx is diligent in its protection of customers Personal Identifying Information (PII) as defined Fed. Reg. 15736-15754 - “Sensitive customer information means a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.”

The only information available to anyone who logs into Aptexx using the link referenced by CERT is a user’s First and Last Name. The account page does not display full credit card numbers, debit card numbers, or bank account numbers. This information resides in a different system controlled by a PCI Level 1 compliant third party and is not accessible via the payment URLs or by Aptexx. No personal bank account, credit card, or debit card information can be accessed or otherwise derived from the payment URLs. The URLs are only sent via e-mail or text message to users who have been previously authenticated by our clients. Each link is comprised of a randomly generated GUID. There is no inherent risk in displaying the last 4 digits of a bank account number or debit/credit card as that information is not sufficient to fraudulently issue transactions on an account. .

In 2014, Aptexx made the change recommended by CERT that requires users to authenticate with a username and password in order to access their account. In addition, Aptexx undergoes annual 3rd party infrastructure and application security penetration tests and resolves all issues as recommended by the independent 3rd Party.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 6.8 E:POC/RL:U/RC:C
Environmental 2 CDP:MH/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Claus Jensen for reporting this vulnerability.

This document was written by Todd Lewellen and Joel Land.

Other Information

CVE IDs: CVE-2014-4882
Date Public: 2015-06-08
Date First Published: 2015-06-08
Date Last Updated: 2015-07-01 13:09 UTC
Document Revision: 35

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.