Wednesday 22 October 2014

Boingo Hotspot Bypass Analysis

In this post I'll take a look at what seems to be a bypass vulnerability in the current version of Boingo hotspot that allows anyone to access free wifi.


Boing-what-go?

While waiting for my plane at JFK airport I thought I'd check for free wifi, scanning the local area I saw an AP called "Boingo hotspot" and decided to give it a go.


However after connecting to the access point I found out Boingo was a pay only wifi service and all my requests were being redirected to the Boingo site.

https://www.boingohotspot.net/ResponsivePreroll.aspx?lang=en&SCC=CCGJFK001

Looking over the site I came across the "Good Stuff" feature which appeared to allow access to a small number of whitelisted sites for free. However after visiting one of the Good Stuff links I somehow gained full unrestricted internet access...

Googling this feature it turns out the flaw had already been discovered and publicly disclosed. No where however explained how the flaw worked. Lets take a look.


Secret to the Good Stuff

The Good Stuff feature, in theory, provides access to a small selection of whitelisted sites. For example:


Behind each of those buttons is an interesting looking link, something like this:

https://www.boingohotspot.net/ClickCapture.aspx?linkID=BoingoSponsorship&promoId=BIP000000000108&promocode=JFKTheGoodStuff&redirectURL=http://www.imdb.com/

It turns out the promoId/promocode function as a kind of username/password and once the link is clicked an authentication process is kicked off. Roughly something like this:

1. After clicking the link the server will return a sessionID ("s"), which is then sent with the promoid/promocode to retrieve temporary credentials.

https://www.boingohotspot.net/SponsorInternalBoingoRadius.aspx?campaignType=0&s=bnagn1j42rohtxvlzqhq1qgg&promoId=BIP000000000108&promocode=JFKTheGoodStuff

2. The temporary username and password received are then submitted to login.aspx in a POST request. Notice that the temporary username includes my MAC address, promocode, airport, terminal and a suspicious password-like string "bwpromo!1".

username=boingo/bwpromo!1|C01885DBFED1|0|0|0|Promo|0|BIP000000000108|jfk|term7|0|1412015104&password=ee0472ab2c647b2f77322257642b876bc346a3eb4dcaeef52a792f15fff6241c&domain=&dst=https://www.boingohotspot.net/

3. Once the login request completes, your ip should have been added to the allowed list and you can now browse the full internet!


https://www.boingohotspot.net/welcome.aspx?username=boingo/bwpromo!1|C01885DBFED1|0|0|0|Promo|0|BIP000000000108|jfk|term7|0|1412015104&logoutURL=http://jfk-t7.boingohotspot.net/logout


What the heck is going on?

The main issue is that whitelist restrictions for "Good Stuff" users are simply not enforced. There should be some server-side mechanism that is monitoring and filtering http requests to only allow content from whitelisted sites, this seems to be missing or at least was not enabled.

Also I'm not too sure why they included an authentication process for the free content. For paying customers authentication makes sense but for free content it shouldn't be needed. Tracking users is one possibility but this could have been done with cookies, headers or POST requests.


Final thoughts

With only an hour to spare before my flight it was a shame I didn't have longer to play with the Boingo hotspot. When you come across issues as bizarre as this you just know there are more security holes just lurking below the surface :)

Thanks for reading, feedback and questions are welcome, just drop me a comment below.