exploit the possibilities

Telenor.com.pk SMS 2-Factor Bypass

Telenor.com.pk SMS 2-Factor Bypass
Posted May 14, 2019
Authored by Muhammad Shahbaz

Telenor.com.pk appears to allow an attacker set an arbitrary phone number for receiving an SMS for the second factor of authentication.

tags | exploit, arbitrary, bypass
MD5 | 6053749fdef10320a3e40ebce3662f53

Telenor.com.pk SMS 2-Factor Bypass

Change Mirror Download
Title: Telenor.com.pk Connect Account SMS PIN Redirection
Author: Muhammad Shahbaz
LinkedIn: https://www.linkedin.com/in/mr-muhammad-shahbaz/
Found: 2019-04-01




Attack Pattern:
Telenor.com.pk Connect Account has a fundamental design flaw where the client can send a random telenor phone number during the second factor flow to receive SMS PIN with an arbitrary existing user and the server send the attacker the PIN for the user account.


Client can send a random telenor phone number during the SMS PIN verification flow and the server will send the PIN to that unauthorized phone number of the telenor connect user account:


#POST: https://www.telenor.com.pk/customer/account/sendMystatementsPin/


msisdn:03XXXXXXXXX
form_key:XXxxXXxxXXxxx
resend:1




Result:
{"resent":1,"message":"
Success:PIN re-sent.<\/span><\/div>"}




Vulnerability Parameters:
“msisdn”, by sending from an existing user account with a random telenor phone number while requesting SMS PIN, the random telenor phone number will receive the SMS PIN.

Vulnerability Type:
Design flaw

Vulnerability Details:
Telenor.com.pk customer portal has a fundamental design flaw where the client can send a random telenor phone number during the second factor flow and the server will send the SMS PIN to that number.


This occurs when user requests the two factor SMS PIN from customer portal, mobile phone is being transferred from the client side of the customer portal and on the server side without any further authentication or verification it sends SMS PIN to that phone number of the given user account.

This is not very common vulnerability and its successful exploitation can bypass any user’s SMS second factor authentication to see customer mobile statements.

Even though I believe this is intended feature of the customer portal of https://www.telenor.com.pk. I strongly recommend investigating the issue manually to ensure it is a design flaw and that it needs to be addressed. You can also consider sending the details of this issue to us so I can address this issue for the next time and give you a more precise result.

Impact:
Depending on the account, an attacker can bypass any user’s second factor SMS PIN authentication to see subscriber’s information:
* Balance check and Recharge
* Remaining usage of bundles
* Complete mobile usage details




Actions to Take:
SMS PIN verification on customer portal need to be redesign with fetching mobile phone number from server side rather than on client side and adding preventive measures.


Vulnerability was reported to the company on April 2, 2019.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    3 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close