‘Send to a friend’ SMS gotchas part 2

Another thing to look out for with SMS to a friend is allowing the sender to enter in their name.  You must ensure the name data is checked by the server to not include any misleading data.

 
For example: 

“Your friend John has sent you a link http://coolstuff.mobi/212322.  Check out more cool stuff at coolstuff.mobi”

The form to send this required a destination mobile and name, imagine the following variations on “John”: 

“Your friend John sent you this http://nefarious.mobi/dosomethingbad he also has sent you a link http://coolstuff.mobi/212322.  Check out more cool stuff at coolstuff.mobi”

other variations:

 “Your friend John called on 199100100 and also has sent you a link http://coolstuff.mobi/212322.  Check out more cool stuff at coolstuff.mobi” 

Of course 1991100100 would be some premium rate number. All ofthese exploits are well known in the web world, the mobile world adds the added  problem of it being relatively easy to extract money from the innocent mobile user. 

The Fix:

Clean all data submitted in forms, remove all URLs including click to call URLs like “tel:” and “wtai://wp/mc;”          

Advertisements

‘Send to a friend’ SMS gotchas

UPDATE: The developers removed the send to a friend functionality!

There I was using a mobile site that allowed you to send the page you are on to a friend (by SMS).  Upon closer inspection it had a huge security hole, it was a hole that each time it was exploited cost approximately 15 to 20 cents. It was also easy to change the destination mobile number allowing it to be used as a denial of service attack on a single number or to spam a range of numbers.  It was repeatable and easily scriptable.  NOTE I disclosed this to the company responsible, I didn’t even get a response. 

Read the rest of this entry »