I reported on the 6th of June 2013 an issue at Tomtom's website. It was something that I discovered by accident because I was helping out a family member who had forgotten his password. I waited until now to publicly disclose it because I wanted to give Tomtom the opportunity to fix it.
The Tomtom application that was installed on my family member's computer allowed my family member to trigger a password reset (by entering the e-mail address coupled to the account). My family member opened his mailbox and had a new e-mail from Tomtom with the password reset.
I got distracted in the process by the cat (cats are masters in social engineering) and asked to reset it a second time. In the inbox of my family member were thus 2 e-mails coming from the reset service. My family isn't into computers and thus when I asked to click the the link, they clicked on the first mail they saw, which was the eldest one. The reset worked and my family was happy, not realizing that this e-mail wasn't suppose to trigger the reset since there was a newer request for the reset.
The link in the e-mail looks like this:
http://www.tomtom.com/myTomTom/password_reminder_confirm.php?frm_email=familymember@mail.com&frm_check=f4357e2fa574a1764edcf077eaaf95dd
As you can see the format of the link is quite basic, an e-mail address and a hash.
On my way home I was going over the situation and asked my family member if I could get a copy of the e-mails to make sure if I didn't misinterpret something. I wondered if I could make a password reset now that the password was already reset.
I just clicked the link (no proxies in between) and did a reset of the password by using the form. Thus basically anybody who had that link could reset the password. What exact information you can find and how valuable the information is something I considered out of scope.
Since I work for CERT.be, I am familiar with the responsible disclosure guide of NCSC. The first problem I had was finding out who I had to contact at Tomtom. No information on their website, but I was lucky, the whois contact worked.
In CC of my e-mail to Tomtom I had put the NCSC (The CERT of The Netherlands) and CERT.be. The reason why is simply to have a cover-my-ass strategy. Tomtom is a company in The Netherlands and well I am a Belgian citizen that is why I chose to put both national CERT teams in copy. I do not want to get in trouble for discovering a problem, I just want it to get it fixed.
I got a reply from Tomtom on the 14th of June 2013. First of all they thanked me, they would look into the problem and promised me to keep me informed. The sad truth is that this last promise wasn't kept. I don't know if the reason why I never got a reply is that I was truthful about the fact I would write this blog entry about it.
