Search This Blog

Showing posts with label BreakTheSec. Show all posts

CSRF Vulnerability in 160By2 and Way2Sms allows hacker to send sms from victim account

I have discovered Cross Site Request Forgery (CSRF) Vulnerability in Top Online-based SMS sending service websites 160By2.com and Way2SMS.com.  Let me start with security flaw in the 160By2 because it is critical one.

CSRF  in 160By2:
The vulnerability allows hackers to send SMS from the target victim account to any mobile. I've discovered this flaw when i was sending New Year wishes to my friends.

The vulnerability resides in the "SMS alerts" page.  This page allows user to send Schedule SMS. Unfortunately, this page fails to check whether the request is coming from the user or not with the help of CSRF token.

So It is easy for an attacker to lure victim into click a crafted-link that sends malicious request to server.
CSRF Vulnerability in 160BY2
Hackers can modify the request such that it can send sms to anyone at any time.

Solution:
While sending the above request, include and verify "action" value that you have used in the main sms sending page.


CSRF in Way2SMS:
This vulnerability just allows hacker to change the name of the victim with a crafted-request.



Solution:
While sending the above request, include and verify "action" value that you have used in the main sms sending page.

I tried to notify both websites regarding the issue with solution to fix the vulnerability.  But there is no response from their side.  So i planned to publish the details .

Note: Previously, i discovered Persistent XSS vulnerability and notified 160By2 . But they failed to respond that time also.

Persistent XSS Vulnerability in 160By2


Hi, I've discovered a persistent cross site scripting vulnerability in 160by2 website, a popular site used for sending SMS.

Today, while i'm sending message to one of my friend from 160by2, My Hacker mind started to work (after long time).  I insert a script instead of message. Successfully , the message has been sent to the receiver.

 The inserted script:
     <script>alert("BreakTheSec")</script>


At the same time, 160by2 displayed the message send by me in the Sent Box.  Yeah, inserted-script is being executed and displayed the popup. 

Whenever i visit the Sent box, the popup is being displayed. In fact, the popup is being displayed in the main page also because of "LAST 5 MESSAGES SUMMARY" section in the home page.

I consider the risk level of this vulnerability as very very low because it only work when you logged in.  So, it won't help attackers to target victims.