The recent proxy server, implemented by Vodacom in order to provide its new "Content Adaption" service and to better render web sites on small screen devices, has inadvertently created a serious security issue.
According to Brett Steingo, GM: mobility solutions at Internet Solutions (IS), some of the unintended results have given rise to serious privacy concerns among consumers and corporate customers alike.
"Since all traffic is routed first through its proxy server, sites requiring login information result in users' passwords being intercepted and reformatted.
"Clients logging in, for example to webmail, have their passwords captured in plain text and forwarded on. In the event of a failure, this password is being re-directed to a Google search page in plain text."
Some test basic testing by IS staff shows how any user can demonstrate this fault: users can browse to an Exchange Outsourced Web Access / Webmail site from their cell phone using http://webmail.your.site.domain/ and not https://, says Steingo.
The page that will come up, asking for a username and password will look something like this: "http://owafe083.vodacommi.co.za/webmail.your.site.domain/" – and is not secure.
If the user full in a username and password (they're urged to use a fake one for the demo), in some cases both entries will be sent as an unsecured search query to Google.
Users can get around this by going directly to the "https" version of the site, says Steingo. The site will work, but the password still gets redirected and sent to Google as a search request.
"Clients are also reporting the inability to use a variety of applications over this platform and VLive APNs since the implementation of Content Adaption," says Steingo. "IS clients using the IS Internet APNs (mobile.is.co.za and vpn.is.co.za) remain unaffected."