what you don't know can hurt you

Telenor.com.pk SMS 2-Factor Bypass

Telenor.com.pk SMS 2-Factor Bypass
Posted May 14, 2019
Authored by Muhammad Shahbaz

Telenor.com.pk appears to allow an attacker set an arbitrary phone number for receiving an SMS for the second factor of authentication.

tags | exploit, arbitrary, bypass
MD5 | 6053749fdef10320a3e40ebce3662f53

Telenor.com.pk SMS 2-Factor Bypass

Change Mirror Download
Title: Telenor.com.pk Connect Account SMS PIN Redirection
Author: Muhammad Shahbaz
LinkedIn: https://www.linkedin.com/in/mr-muhammad-shahbaz/
Found: 2019-04-01




Attack Pattern:
Telenor.com.pk Connect Account has a fundamental design flaw where the client can send a random telenor phone number during the second factor flow to receive SMS PIN with an arbitrary existing user and the server send the attacker the PIN for the user account.


Client can send a random telenor phone number during the SMS PIN verification flow and the server will send the PIN to that unauthorized phone number of the telenor connect user account:


#POST: https://www.telenor.com.pk/customer/account/sendMystatementsPin/


msisdn:03XXXXXXXXX
form_key:XXxxXXxxXXxxx
resend:1




Result:
{"resent":1,"message":"
Success:PIN re-sent.<\/span><\/div>"}




Vulnerability Parameters:
“msisdn”, by sending from an existing user account with a random telenor phone number while requesting SMS PIN, the random telenor phone number will receive the SMS PIN.

Vulnerability Type:
Design flaw

Vulnerability Details:
Telenor.com.pk customer portal has a fundamental design flaw where the client can send a random telenor phone number during the second factor flow and the server will send the SMS PIN to that number.


This occurs when user requests the two factor SMS PIN from customer portal, mobile phone is being transferred from the client side of the customer portal and on the server side without any further authentication or verification it sends SMS PIN to that phone number of the given user account.

This is not very common vulnerability and its successful exploitation can bypass any user’s SMS second factor authentication to see customer mobile statements.

Even though I believe this is intended feature of the customer portal of https://www.telenor.com.pk. I strongly recommend investigating the issue manually to ensure it is a design flaw and that it needs to be addressed. You can also consider sending the details of this issue to us so I can address this issue for the next time and give you a more precise result.

Impact:
Depending on the account, an attacker can bypass any user’s second factor SMS PIN authentication to see subscriber’s information:
* Balance check and Recharge
* Remaining usage of bundles
* Complete mobile usage details




Actions to Take:
SMS PIN verification on customer portal need to be redesign with fetching mobile phone number from server side rather than on client side and adding preventive measures.


Vulnerability was reported to the company on April 2, 2019.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    11 Files
  • 21
    May 21st
    21 Files
  • 22
    May 22nd
    20 Files
  • 23
    May 23rd
    36 Files
  • 24
    May 24th
    2 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close