Pages

2009-01-17

Security case study: Hole in SMS spam websites allows charges to arbitrary mobile numbers

The Web 2.0 paradigm opens a new web programming model. However, new programming models are all prone to developer incompetence:
Old model:
Client <--> Server <--> Database

New model:
Client <--> Server
\--> Database
The problem, of course, is that the database is now another source of entry. You need to remember: if a client is making a request to your server, you need to scrutinize that request... every time.

The SMS spam website is one of these:
  • http://www.triviaspace.net/US1/
  • http://iqlovetestv0.iqlovetest.com/
  • http://www.thankyoupath.com/landing_pages/quiz_dating/



After going through the quiz, your browser is requested to load a script like this:

http://rpcus1.z-sms.com/HttpRpc/IQ_Pin_US.php?CarrierCompliant=no&Score=17&IP=1.2.3.4&Host=&Name=&Starsign=&Source=41152&Number=2152223456&Service=WEEKLY_TRIVIA_44999_999&ShortCode=44999&Message=Haha!&MessageVer=Haha&MessageATT=Haha

Which loads something like this:
var Provider='tmobile'; var Code=1777; var LoversName='CHARLIE'; var IQ='85'; var Origin=''; var Meaning=''; var Tester1 = '987'; var Tester2 = '7555'; var Tester3 = '987';
You can use this Web API to learn the service provider for any phone number in the US (works for most numbers):
Phone number:
(do not use dashes here)
After you get that page, read the var Provider='...' part. If that's a Sprint number, you can call 888-211-4727 to see how many minutes were used by that phone number in the past month.

If you had used a URL like the above for your first request, you would also get a: Code=### part. That code could be inputted in to a page like this:
<form action="http://www.triviaspace.net/US1/confirm.php?a=41152" method="post" name="form1" onsubmit="Validate(txtPin)">
<input id="Service" name="Service" value="WEEKLY_TRIVIA_44999_999" type="hidden">
<input id="Shortcode" name="Shortcode" value="44999" type="hidden">
<input id="Provider" name="Provider" value="" type="hidden">
<input id="RealPin" name="RealPin" value="" type="hidden">
<input id="Portal" name="Portal" value="TheIqQuiz.com" type="hidden">
<input id="LoversName" name="LoversName" value="" type="hidden">
<input id="IQ" name="IQ" value="" type="hidden">
<input id="Origin" name="Origin" value="" type="hidden">

<input id="Meaning" name="Meaning" value="" type="hidden">
<input id="fPin" maxlength="5" name="txtPin" type="hidden">
</form>
Now... I'm not giving you the full details to run this request. See update below. But, if you followed through, the result is a simple Web API that allows you to charge money on the phone bill of arbitrary mobile phone users. That's what I call a failure in security.

(Update 2010-01-02, cleaned up URLs and copyediting)
Also, I was ready to post a full exploit today, but it seams like they have cleaned up their act a little. Also, the first page still works.