ICQ, new features - new holes
Hello, dear friend, I will immediately ask for your forgiveness, since it is always difficult for me to write an introduction and therefore it will be a little liquid.
So:
As the time shows, in ICQ, with the introduction of a new function, a new security breach opens, take at least this article:
')
“Html injection on icq.com pages”
Taking it as a basis, I began my research.
What is new in ICQ?
Attentive users will easily answer this question: “linking the ICQ number to your mobile phone number”.
But what functions at the same time appeared:
- Password recovery via code sent to mobile.
- Login (login to ICQ) via code sent to mobile.
- Registration of a new user through the code sent to the mobile.
I started of course with password recovery.
When entering the phone number associated with the ICQ number on the password recovery page www.icq.com/password, we see a page where we will be asked to enter the code that came to the mobile, as well as the new password.
The address of this page looks like this:
This link lives about 24 hours.
The most important link piece consists of two parts:
- The first is either an encrypted session or the number itself:
- The second is generally incomprehensible, which absolutely does not affect anything. This piece can be replaced with any set of letters and numbers, or even simply cut:
Now back to the fact that the link lives for about a day ...
When recovering the password through the mobile, we receive a code consisting of FIVE DIGITAL!
The first tests showed that there were no restrictions on entering the code, but this was a bit erroneous. When you enter the wrong code, the answer page contained a picture of a funny snail and the inscription “The link you are using is outdated ...”
When entering the correct code, the answer page informed us that the password was successfully changed:
Entering the code manually in the browser, the ban could not be achieved, but after automating this process, I saw that the ban occurred after five attempts, it was a ban on entering the code from one IP and the link did not die. When bathing, the answer page contained a cow and the inscription “Unfortunately, you too often repeat the same type of action. Try it less often. ”
Without thinking, I turned to my friend and he implemented this vulnerability in the software, which he affectionately called " 5digger ", then you will find out why ... The software worked through a proxy and therefore banned by IP we were not afraid;)
So, we have a rather serious hole, but how do we find out the victim's phone number? Above this, we had a little thought.
The program that helped us gathering the database of numbers and contents from their “info” helped us. It is called “ICQ Search Info” by .fry. This program somehow, in some incomprehensible way, saw the phone numbers of the owners, which they indicated in their information and which are hidden by default.
We immediately began to scan the five digits. As a result, we got a small base uin; phone . Unfortunately for us, it contained a bunch of garbage, as well as real numbers of the owners, but not attached to their ICQ number.
Since we are lazy people, I began to look for a form through which it was possible to check the number on registration in ICQ. However banal it may be, this was the registration form: www.icq.com/join/ru
With a simple query, I was able to quickly check my numbers:
The server response if the number is not registered in icq contained the following character set:
Having received a 100% valid uin base , I set to work on the phone . To begin with, I deleted all the lines containing Russian numbers, namely those starting with (+7)
The victims were the former ICQ admins and their friends with phone numbers starting at (+9725), as well as simply the numbers of unknown foreigners, I want to note that the original database contained a little less than 10 lines ...
As soon as we changed the password on the first admin number, which turned out to be Avi Zrachya's number (this is the former ICQ administrator from Israel), namely 34567, we saw that in his contact list there was just an incredible order ... Mostly his contact list consisted of his colleagues and friends. In this case, all the nicknames from the "info" were replaced with real names and surnames, as well as in many of the numbers in the "additional information" which he personally filled out, he could see the phone number. I was particularly pleased with the group “ Asechka.ru ”, where there were several of my comrades, and also the group “ Hackers ”, where there was a notorious crate xT.
As a result, I pulled out all the phone numbers and checked them in the way already described above and added to my base, this was not the end. It turned out that all admins had a contact list in approximately the same condition and from each of them we were able to pull out new unique phone numbers. I think our further actions and results should not be described to you as everyone can guess without it. I want to add only that all the numbers used were quickly returned to their owners, and this made up a rather large percentage ... This vulnerability was very funny fixed. To begin with, it was forbidden to change the password, and also to recover the password for numbers below 7 digits (six and five characters). And then when you enter the wrong code, the inscription "wrong code" began to appear and the ban was no longer on IP, but on entering the code from a specific link.
Now back to some fun thing I noticed.
Remember the request I used to check the numbers for registration? So, the limit on sending SMS to one number was not! This feature was immediately implemented in the flooder of mobile phones. The software worked for about two weeks, and then the limit was set for sending SMS.
We continue!
Again, there was no limit to enter the confirmation code and at the same time it was possible to register huge amounts of numbers without entering a captcha, and without having access to the phone specified during registration. For this, it was necessary to collect only a variable when sending SMS, which is called "transid" ie to collect a sheet of the form phone; transid , and then just pull in (select) the codes on this sheet and gradually register the numbers. This vulnerability is possible and is now, because at the time of writing this article I did not check it.
Now I will tell you about the login function through the code sent to the mobile
When entering the code through the site, I sent either five or six-digit confirmation code and trying to pick it up was a little hemorrhoid, considering that I already found the same function only in a slightly different place. In the ICQ 7M and ICQ 8 clients there is this function and when you enter the mobile, 4 character code is sent there, having chosen which, you will get all the variables for the login, I don’t remember exactly all their names, I only remember the main “sessionid” . This vulnerability was not implemented, since they could not figure out the signature of the requests, but it would be funny if on the same day, in the info of several dozen “elite” numbers, a comic inscription appeared: “ Hacked by Gay Nork Crew special for Asechka.ru ”
And finally, another fun feature
If you try to log in from a mobile number unregistered in ICQ, the code will be sent and the new number will be registered. So what am I doing all this for?
As soon as this function was introduced, it worked like this: this four-digit code was set as a password. But it did not last long, from about December 2012 to the end of January 2013, can you imagine how many numbers were registered in this way?
After a bit of thinking, I made up such a logical chain: if the number is registered in this way and has such a password, it means it is not used from the moment of registration → if the number is not used from the moment of registration, the date of the last change of information about the number was about the same as the date of registration!
Fortunately, the same ICQ Search Info harvester collected bases of the form uin; last profile update , collecting the base of such numbers, I went over passwords from the range 0000-9999 and saw pretty nice numbers ...
At the moment, if the number is registered in this way, then the password is not set. You can enter such a number using the same one-time four-digit codes or simply setting a password by going through the “password recovery” procedure via a mobile phone.
These are the interesting things that have opened innovations in ICQ and I think this kind of vulnerability is quite common. If suddenly your service has these functions, then be sure to check them for "lice".
So:
As the time shows, in ICQ, with the introduction of a new function, a new security breach opens, take at least this article:
')
“Html injection on icq.com pages”
Taking it as a basis, I began my research.
What is new in ICQ?
Attentive users will easily answer this question: “linking the ICQ number to your mobile phone number”.
But what functions at the same time appeared:
- Password recovery via code sent to mobile.
- Login (login to ICQ) via code sent to mobile.
- Registration of a new user through the code sent to the mobile.
I started of course with password recovery.
When entering the phone number associated with the ICQ number on the password recovery page www.icq.com/password, we see a page where we will be asked to enter the code that came to the mobile, as well as the new password.
The address of this page looks like this:
https://www.icq.com/password/resetcode/D5DCBDBAF629FE4A07FB8C790E9F9A6535A1FD2DCD78093E71C892844953EC82/ru This link lives about 24 hours.
The most important link piece consists of two parts:
- The first is either an encrypted session or the number itself:
D5DCBDBAF629FE4A07FB8C790E9F9A65 - The second is generally incomprehensible, which absolutely does not affect anything. This piece can be replaced with any set of letters and numbers, or even simply cut:
35A1FD2DCD78093E71C892844953EC82 Now back to the fact that the link lives for about a day ...
When recovering the password through the mobile, we receive a code consisting of FIVE DIGITAL!
The first tests showed that there were no restrictions on entering the code, but this was a bit erroneous. When you enter the wrong code, the answer page contained a picture of a funny snail and the inscription “The link you are using is outdated ...”
When entering the correct code, the answer page informed us that the password was successfully changed:
Entering the code manually in the browser, the ban could not be achieved, but after automating this process, I saw that the ban occurred after five attempts, it was a ban on entering the code from one IP and the link did not die. When bathing, the answer page contained a cow and the inscription “Unfortunately, you too often repeat the same type of action. Try it less often. ”
Without thinking, I turned to my friend and he implemented this vulnerability in the software, which he affectionately called " 5digger ", then you will find out why ... The software worked through a proxy and therefore banned by IP we were not afraid;)
So, we have a rather serious hole, but how do we find out the victim's phone number? Above this, we had a little thought.
The program that helped us gathering the database of numbers and contents from their “info” helped us. It is called “ICQ Search Info” by .fry. This program somehow, in some incomprehensible way, saw the phone numbers of the owners, which they indicated in their information and which are hidden by default.
We immediately began to scan the five digits. As a result, we got a small base uin; phone . Unfortunately for us, it contained a bunch of garbage, as well as real numbers of the owners, but not attached to their ICQ number.
Since we are lazy people, I began to look for a form through which it was possible to check the number on registration in ICQ. However banal it may be, this was the registration form: www.icq.com/join/ru
With a simple query, I was able to quickly check my numbers:
GET http://icq.com/join/send_sms_code/ru?msisdn=<phone> The server response if the number is not registered in icq contained the following character set:
"status":200,"statusText":"Ok" Having received a 100% valid uin base , I set to work on the phone . To begin with, I deleted all the lines containing Russian numbers, namely those starting with (+7)
The victims were the former ICQ admins and their friends with phone numbers starting at (+9725), as well as simply the numbers of unknown foreigners, I want to note that the original database contained a little less than 10 lines ...
As soon as we changed the password on the first admin number, which turned out to be Avi Zrachya's number (this is the former ICQ administrator from Israel), namely 34567, we saw that in his contact list there was just an incredible order ... Mostly his contact list consisted of his colleagues and friends. In this case, all the nicknames from the "info" were replaced with real names and surnames, as well as in many of the numbers in the "additional information" which he personally filled out, he could see the phone number. I was particularly pleased with the group “ Asechka.ru ”, where there were several of my comrades, and also the group “ Hackers ”, where there was a notorious crate xT.
As a result, I pulled out all the phone numbers and checked them in the way already described above and added to my base, this was not the end. It turned out that all admins had a contact list in approximately the same condition and from each of them we were able to pull out new unique phone numbers. I think our further actions and results should not be described to you as everyone can guess without it. I want to add only that all the numbers used were quickly returned to their owners, and this made up a rather large percentage ... This vulnerability was very funny fixed. To begin with, it was forbidden to change the password, and also to recover the password for numbers below 7 digits (six and five characters). And then when you enter the wrong code, the inscription "wrong code" began to appear and the ban was no longer on IP, but on entering the code from a specific link.
Now back to some fun thing I noticed.
Remember the request I used to check the numbers for registration? So, the limit on sending SMS to one number was not! This feature was immediately implemented in the flooder of mobile phones. The software worked for about two weeks, and then the limit was set for sending SMS.
We continue!
Again, there was no limit to enter the confirmation code and at the same time it was possible to register huge amounts of numbers without entering a captcha, and without having access to the phone specified during registration. For this, it was necessary to collect only a variable when sending SMS, which is called "transid" ie to collect a sheet of the form phone; transid , and then just pull in (select) the codes on this sheet and gradually register the numbers. This vulnerability is possible and is now, because at the time of writing this article I did not check it.
Now I will tell you about the login function through the code sent to the mobile
When entering the code through the site, I sent either five or six-digit confirmation code and trying to pick it up was a little hemorrhoid, considering that I already found the same function only in a slightly different place. In the ICQ 7M and ICQ 8 clients there is this function and when you enter the mobile, 4 character code is sent there, having chosen which, you will get all the variables for the login, I don’t remember exactly all their names, I only remember the main “sessionid” . This vulnerability was not implemented, since they could not figure out the signature of the requests, but it would be funny if on the same day, in the info of several dozen “elite” numbers, a comic inscription appeared: “ Hacked by Gay Nork Crew special for Asechka.ru ”
And finally, another fun feature
If you try to log in from a mobile number unregistered in ICQ, the code will be sent and the new number will be registered. So what am I doing all this for?
As soon as this function was introduced, it worked like this: this four-digit code was set as a password. But it did not last long, from about December 2012 to the end of January 2013, can you imagine how many numbers were registered in this way?
After a bit of thinking, I made up such a logical chain: if the number is registered in this way and has such a password, it means it is not used from the moment of registration → if the number is not used from the moment of registration, the date of the last change of information about the number was about the same as the date of registration!
Fortunately, the same ICQ Search Info harvester collected bases of the form uin; last profile update , collecting the base of such numbers, I went over passwords from the range 0000-9999 and saw pretty nice numbers ...
At the moment, if the number is registered in this way, then the password is not set. You can enter such a number using the same one-time four-digit codes or simply setting a password by going through the “password recovery” procedure via a mobile phone.
These are the interesting things that have opened innovations in ICQ and I think this kind of vulnerability is quite common. If suddenly your service has these functions, then be sure to check them for "lice".
Source: https://habr.com/ru/post/183190/
All Articles