Boingo Username And Password Hack
Boingo makes Wireless Internet access simple with one click roaming log on. Roaming Partners. How to find your Boingo Wi-Fi username and password. Don't remember your username or password? We've all been there. Just visit My Account. How to find your Boingo Wi-Fi username and password. How to Connect to Boingo Wi-Five. Connect to hotspots in Japan with WPA2 Encryption.
Looking over the site I came across the 'Good Stuff' feature which appeared to allow access to a small number of whitelisted sites for free. However after visiting one of the Good Stuff links I somehow gained full unrestricted internet access. Xica Da Silva Novela. Googling this feature it turns out the flaw had been discovered and publicly disclosed. No where however explained how the flaw worked. Lets take a look.
Secret to the Good Stuff The Good Stuff feature, in theory, provides access to a small selection of whitelisted sites. Behind each of those buttons is an interesting looking link, something like this: It turns out the promoId/promocode function as a kind of username/password and once the link is clicked an authentication process is kicked off. Roughly something like this: 1. After clicking the link the server will return a sessionID ('s'), which is then sent with the promoid/promocode to retrieve temporary credentials. The temporary username and password received are then submitted to login.aspx in a POST request. Notice that the temporary username includes my MAC address, promocode, airport, terminal and a suspicious password-like string 'bwpromo!1'. Username=boingo/bwpromo!1 C01885DBFED1 0 0 0 Promo 0 BIP08 jfk term7 0 &password=ee0472ab2c647b2f2b876bc346a3eb4dcaeef52a792f15fff6241c&domain=&dst=3. Once the login request completes, your ip should have been added to the allowed list and you can now browse the full internet!
What the heck is going on? The main issue is that whitelist restrictions for 'Good Stuff' users are simply not enforced. The It Crowd Theme Song Download Mp3 on this page. There should be some server-side mechanism that is monitoring and filtering http requests to only allow content from whitelisted sites, this seems to be missing or at least was not enabled. Also I'm not too sure why they included an authentication process for the free content. For paying customers authentication makes sense but for free content it shouldn't be needed.
Tracking users is one possibility but this could have been done with cookies, headers or POST requests. Final thoughts With only an hour to spare before my flight it was a shame I didn't have longer to play with the Boingo hotspot. When you come across issues as bizarre as this you just know there are more security holes just lurking below the surface:) Thanks for reading, feedback and questions are welcome, just drop me a comment below.