‘Send to a friend’ SMS gotchas part 2

Another thing to look out for with SMS to a friend is allowing the sender to enter in their name.  You must ensure the name data is checked by the server to not include any misleading data.

 
For example: 

“Your friend John has sent you a link http://coolstuff.mobi/212322.  Check out more cool stuff at coolstuff.mobi”

The form to send this required a destination mobile and name, imagine the following variations on “John”: 

“Your friend John sent you this http://nefarious.mobi/dosomethingbad he also has sent you a link http://coolstuff.mobi/212322.  Check out more cool stuff at coolstuff.mobi”

other variations:

 “Your friend John called on 199100100 and also has sent you a link http://coolstuff.mobi/212322.  Check out more cool stuff at coolstuff.mobi” 

Of course 1991100100 would be some premium rate number. All ofthese exploits are well known in the web world, the mobile world adds the added  problem of it being relatively easy to extract money from the innocent mobile user. 

The Fix:

Clean all data submitted in forms, remove all URLs including click to call URLs like “tel:” and “wtai://wp/mc;”          

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: