what you don't know can hurt you

Telenor.com.pk SMS 2-Factor Bypass

Telenor.com.pk SMS 2-Factor Bypass
Posted May 14, 2019
Authored by Muhammad Shahbaz

Telenor.com.pk appears to allow an attacker set an arbitrary phone number for receiving an SMS for the second factor of authentication.

tags | exploit, arbitrary, bypass
MD5 | 6053749fdef10320a3e40ebce3662f53

Telenor.com.pk SMS 2-Factor Bypass

Change Mirror Download
Title: Telenor.com.pk Connect Account SMS PIN Redirection
Author: Muhammad Shahbaz
LinkedIn: https://www.linkedin.com/in/mr-muhammad-shahbaz/
Found: 2019-04-01




Attack Pattern:
Telenor.com.pk Connect Account has a fundamental design flaw where the client can send a random telenor phone number during the second factor flow to receive SMS PIN with an arbitrary existing user and the server send the attacker the PIN for the user account.


Client can send a random telenor phone number during the SMS PIN verification flow and the server will send the PIN to that unauthorized phone number of the telenor connect user account:


#POST: https://www.telenor.com.pk/customer/account/sendMystatementsPin/


msisdn:03XXXXXXXXX
form_key:XXxxXXxxXXxxx
resend:1




Result:
{"resent":1,"message":"
Success:PIN re-sent.<\/span><\/div>"}




Vulnerability Parameters:
“msisdn”, by sending from an existing user account with a random telenor phone number while requesting SMS PIN, the random telenor phone number will receive the SMS PIN.

Vulnerability Type:
Design flaw

Vulnerability Details:
Telenor.com.pk customer portal has a fundamental design flaw where the client can send a random telenor phone number during the second factor flow and the server will send the SMS PIN to that number.


This occurs when user requests the two factor SMS PIN from customer portal, mobile phone is being transferred from the client side of the customer portal and on the server side without any further authentication or verification it sends SMS PIN to that phone number of the given user account.

This is not very common vulnerability and its successful exploitation can bypass any user’s SMS second factor authentication to see customer mobile statements.

Even though I believe this is intended feature of the customer portal of https://www.telenor.com.pk. I strongly recommend investigating the issue manually to ensure it is a design flaw and that it needs to be addressed. You can also consider sending the details of this issue to us so I can address this issue for the next time and give you a more precise result.

Impact:
Depending on the account, an attacker can bypass any user’s second factor SMS PIN authentication to see subscriber’s information:
* Balance check and Recharge
* Remaining usage of bundles
* Complete mobile usage details




Actions to Take:
SMS PIN verification on customer portal need to be redesign with fetching mobile phone number from server side rather than on client side and adding preventive measures.


Vulnerability was reported to the company on April 2, 2019.
Login or Register to add favorites

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    13 Files
  • 28
    May 28th
    18 Files
  • 29
    May 29th
    17 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close