Massive security hole in Telecom's Xtra ISP service

An astounding security hole in Telecom's Xtra service means almost all its customers' communications have been insecure since the ISP launched.

An astounding security hole in Telecom's Xtra service means almost all its customers' communications have been insecure since the ISP launched.

The hole, a password issue, is built into Xtra's registration system--this writer has been shown the problem by one security expert and agrees it makes abuse so easy it would be irresponsible to go into any further detail.

One of those asked to verify the problem before ISPANZ notified Xtra, Craig Anderson, director of security at ProNet, describes the hole as "so big and so insecure that for me to furnish any detail on it could be absolutely disastrous. But it certainly indicates that Telecom doesn't know much about security and suggests that its plans for online banking and commerce are something to worry about."

The problem was accidentally discovered by a member of the recently-formed Internet Service Providers' Association of New Zealand (ISPANZ). ISPANZ spokesman Ron Woodrow has sent a letter to the office of Xtra boss Chris Tyler notifying him of the problem and recommending "urgent action to correct the situation".

@IDG contacted Woodrow, who said he was reluctant to comment until he had received a response from Telecom "and I must say I'm surprised I haven't already had one". @IDG has also been unable to gain a response.

Woodrow's letter says the security problem "would affect not just Xtra customers, but many Internet users who may have communicated with Xtra customers."

It asks Telecom to verify the problem, notify all users that they have no security until it is corrected and that they should assess the consequences should their privacy have been compromised.

On confirmation, ISPANZ will also ask its members to warn their own customers "not to send any private documents to the Xtra system until an all-clear has been issued by (an) independent expert".

Join the newsletter!

Error: Please check your email address.
Show Comments
[]