From Revealing Emails to Taking Over Accounts (Hacking Telecom)
بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ
Hello,
My name is Ahmad Halabi.
Working at Resecurity — A Cyber Security Intelligence Company protecting Fortune 500 against threats of all types.
Part of what we do via our Hunter Unit Operations is investigate and identify new zero days, attacks and techniques that allow threat actors to cause massive data breaches and infections.
In this article, I will explain how I found a bug that allowed me to disclose all emails related to users of a Huge Telecom company and take over all their accounts too.
Exploiting “Forget Password” Feature ::
Usually if you forgot your password, you can recover it by sending a recovery code to your Email or Phone Number.
First, the application forces you to add your phone number in the “Forgot Login Details” section. So I added Victim Phone Number.
Then the application gives you two choices to send the PIN code either to the email or the Phone Number.
We notice that the Phone Number is hidden as well as the Email.
In our case, we already have victim phone number and we want to reveal his email.
We don’t care where the code will be sent because we will bypass it later, so we can send it to the number or email.
After clicking on Send PIN
button, we notice that the code is sent. We will not use the code.
Exploiting the Verification PIN Process ::
By using Response Manipulation
technique to manipulate the wrong response of the code request and replace it with a Correct response.
I added random PIN Code 1111
and intercepted the request via burp.
We notice in the above request that they are splitting the 4 digits code into 4 pin inputs (pin1, pin2, pin3, pin4) and into 3 normal pin inputs. They did the splitting technique to protect against Brute forcing the PIN Code.
I didn’t do any brute force when I saw the above request. Instead, I intercepted the response as shown in the picture below.
After sending the request, I monitored its Response and found the below response showing the status code “700” and operation “verify OTP” meaning that the verification request failed as the OTP was wrong.
I simply manipulated the response by replacing {"code":"700","operation":"VERIFYOTP"}
with {"code":"200"}
and forwarded the request.
After forwarding the request, I got redirected to the Change Password Page revealing the Email address and confirming the PIN Code verification.
After I tried to add new password, I got an Account Takeover.
Impact ::
- I was able to reveal the user emails found in the Database of the Telecom Company. Threat Actors can easily:
- Collect all the Phone Numbers related to this Telecom.
- Automate this Vulnerability to exploit it on all the Collected Phone Numbers.
- Sell all the disclosed private emails on the Dark Web.
- Use them in Massive Phishing Campaigns.
2. I was able to change the password of the accounts in the Telecom Company. This means obtaining Full Account Takeover that could have easily lead to:
- Financial Loss (of users).
- Huge Packages Loss.
Conclusion ::
In this case, the response manipulation technique allowed me not only to reveal the Emails but it also redirected me to the Change Password page allowing me to take over any account that I target.
Remediation ::
Fixing the Response manipulation bug was not enough, Authorization problem on changing password had to be fixed too so it won’t get bypassed.
Hope you enjoyed reading!
You can follow me on: LinkedIn / Twitter / Instagram / My Website
Kind Regards.