Skip Links

Phone numbers are enough to access user accounts on some mobile operator portals

Researcher reveals trivial authentication bypass vulnerability that could allow attackers to make purchases from mobile subscriber accounts

By Lucian Constantin, IDG News Service
September 19, 2012 08:40 AM ET

IDG News Service - Attackers could impersonate legitimate mobile users on the Web portals many mobile operators use to sell content and services to their customers because of a security flaw in the sites, according to Bogdan Alecu, an independent security researcher from Romania.

15 of the worst data breaches

The attacker only needs to know a user's phone number in order to exploit the vulnerability and buy games, ringtones, wallpapers or service subscriptions through the user's account on operators' WAP (Wireless Application Protocol) and Web portals, Alecu said.

The security researcher claims to have discovered the authentication bypass vulnerability in the websites of many mobile operators back in January.

The WAP and Web portals of 20 operators from Romania, Germany, Austria, Italy, France, Poland, the U.K., Brazil and the Netherlands were tested and around 15 of them were found to be vulnerable in one way or another, Alecu said.

The vulnerability stems from the fact that many such websites authenticate users automatically based on special HTTP headers sent by mobile browsers or added by the operator's proxy server when the phone's data connection is used.

Alecu found that he can gain access to another subscriber's online account by forcing his browser to send HTTP headers that contained that subscriber's phone number instead of his own. He calls this an HTTP headers pollution attack.

To test this attack, the researcher used Mozilla Firefox running on his laptop because Firefox has extensions that allow sending custom headers and spoofing the user-agent strings to masquerade as a mobile browser.

In some cases, for the attack to work, the browser had to be configured to use the mobile operator's proxy server, which is publicly known, before accessing its website, Alecu said.

Sometimes the attack worked using the computer's existent Internet connection. However, in other cases, launching a successful attack required buying a SIM card from the targeted operator, plugging it into a 3G modem and connecting the computer through that.

That's because some operators block access to their portals from IP addresses that are not from their own networks.

However, in the absence of a SIM card, this restriction can be bypassed by connecting through the legacy dial-up services known as Circuit Switched Data (CSD) still offered by some operators, Alecu said. The researcher first connected to a voice-over-IP service that supports caller ID spoofing and then called the operator's dial-up number to get on its network.

What can be done once you gain access to a user's account depends on what kind of services the targeted operator offers on its website, Alecu said.

In addition to buying premium rate content, some operators offer the ability to recharge a prepaid SIM card from a mobile user's online account. Other operators use separate accounts for such operations, that are protected by a username and password.

The portal of a mobile operator from China even allowed users to perform online banking transactions if they had a particular service enabled, the researcher said. That was probably the result of a partnership between the operator and a number of banks.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News