Add an arbitrary phone in the personal account of the mobile operator Kyivstar (Ukraine)
I am a client of the Ukrainian mobile operator Kyivstar and a user of their web service my.kyivstar.ua . Like many other operators, Kyivstar offers a web version of a personal account in which you can view the account balance, call details, change the tariff, order or deactivate the service, etc.
They also recently launched a new version of their personal account, new.kyivstar.ua . An interesting feature appeared in it - adding another Kyivstar phone via SMS verification. I took her to check for the presence of vulnerabilities, as she actually gave the same access to the phone being added, as well as to her, which I was not particularly pleased with as a client.
The new site has the following phone addition interface:
Adding is done in 4 steps:
Enter the phone number
The choice of option through the accession by SMS (it happens even through a static password, but I do not see it)
')
Enter received SMS.
The confirmation.
These 4 steps are converted into a series of POST and GET requests. The last three requests from this series are responsible for adding the number after the completed OTP verification.
And I decided to check: what if to repeat these requests without those responsible for SMS verification.
Consider in more detail these last 3 requests.
They have the following appearance in the Google Chrome developer tool (Shift + Ctrl + I):
Requests for merge.rpc are sent to account.kyivstar.ua/cas/merge/merge.rpc .
Content of the first request:
The request contains the number of the phone to be added (097 ...)
Content of the second query:
The third request to the address new.kyivstar.ua/ecare/addOrMerge is a GET request without parameters, confirming the previous two operations.
Next, I decided to replay these 3 requests, after removing the newly added phone from my personal account.
For playback, I used the Postman application.
As expected, after updating the page, the phone was successfully added to your personal account.
What we have.
We can add any phone number to our personal account without SMS verification and manage it as ours, namely:
The best gift scammers can not imagine.
As it should be, I immediately contacted Kyivstar customer support and asked to provide me with contact details of the security service or the responsible development department employee in order to describe in detail the essence of the vulnerability and the way it was played. As expected, I was denied my request and offered to send a description of the vulnerability either to chat or through the universal form on the site.
Understanding what risks are possible if the detailed description of the vulnerability is available to any customer support employee, I still insisted on my request, but again without success. Understanding that there is no other way out, I issued a detailed instruction on how to reproduce the vulnerability in the Google Docs file, wrapped it in a link through the clickmeter.com tracking service and sent it to the chat.
As I expected, my application caused a stir and increased interest among the company's employees, which is reflected in analytics of the clickmeter.com service:
The application for 2 days was viewed by 22 unique users.
According to statistics, it is clear that the link was viewed both from computers and from mobile devices. The geography of views was also not limited to the Kiev office, in the list Kiev, Lvov, Dnepropetrovsk, Tbilisi.
Analyzing the statistics, it becomes clear that the existing communication channel with the company is not intended for filing applications of this kind and may lead to information leakage and operation by third parties until the vulnerability is closed.
It is worth paying tribute to the company, the responsible officer contacted me on the second day, thanked and asked to remove the link from the public. Over the next few weeks, the vulnerability was closed, and I was again contacted and informed that the application was completed.
This story reminds us that we need to be more attentive to information security issues in companies of such magnitude as Kyivstar, to create separate communication channels for this, access to which only authorized employees will have access to. Well, as well as the company's participation in bug-bounty programs or creating your own, also has a positive effect on strengthening security services.
They also recently launched a new version of their personal account, new.kyivstar.ua . An interesting feature appeared in it - adding another Kyivstar phone via SMS verification. I took her to check for the presence of vulnerabilities, as she actually gave the same access to the phone being added, as well as to her, which I was not particularly pleased with as a client.
The new site has the following phone addition interface:
Adding is done in 4 steps:
Enter the phone number
The choice of option through the accession by SMS (it happens even through a static password, but I do not see it)
')
Enter received SMS.
The confirmation.
These 4 steps are converted into a series of POST and GET requests. The last three requests from this series are responsible for adding the number after the completed OTP verification.
And I decided to check: what if to repeat these requests without those responsible for SMS verification.
Consider in more detail these last 3 requests.
They have the following appearance in the Google Chrome developer tool (Shift + Ctrl + I):
Requests for merge.rpc are sent to account.kyivstar.ua/cas/merge/merge.rpc .
Content of the first request:
The request contains the number of the phone to be added (097 ...)
Content of the second query:
The third request to the address new.kyivstar.ua/ecare/addOrMerge is a GET request without parameters, confirming the previous two operations.
Next, I decided to replay these 3 requests, after removing the newly added phone from my personal account.
For playback, I used the Postman application.
As expected, after updating the page, the phone was successfully added to your personal account.
What we have.
We can add any phone number to our personal account without SMS verification and manage it as ours, namely:
- view balance and call details
- view the PUK1 code and serial number of the SIM card, which allows you to replace the SIM card yourself
- add new services and change the tariff plan
- and most importantly - transfer money from phone to phone
The best gift scammers can not imagine.
As it should be, I immediately contacted Kyivstar customer support and asked to provide me with contact details of the security service or the responsible development department employee in order to describe in detail the essence of the vulnerability and the way it was played. As expected, I was denied my request and offered to send a description of the vulnerability either to chat or through the universal form on the site.
Understanding what risks are possible if the detailed description of the vulnerability is available to any customer support employee, I still insisted on my request, but again without success. Understanding that there is no other way out, I issued a detailed instruction on how to reproduce the vulnerability in the Google Docs file, wrapped it in a link through the clickmeter.com tracking service and sent it to the chat.
As I expected, my application caused a stir and increased interest among the company's employees, which is reflected in analytics of the clickmeter.com service:
The application for 2 days was viewed by 22 unique users.
According to statistics, it is clear that the link was viewed both from computers and from mobile devices. The geography of views was also not limited to the Kiev office, in the list Kiev, Lvov, Dnepropetrovsk, Tbilisi.
Analyzing the statistics, it becomes clear that the existing communication channel with the company is not intended for filing applications of this kind and may lead to information leakage and operation by third parties until the vulnerability is closed.
It is worth paying tribute to the company, the responsible officer contacted me on the second day, thanked and asked to remove the link from the public. Over the next few weeks, the vulnerability was closed, and I was again contacted and informed that the application was completed.
This story reminds us that we need to be more attentive to information security issues in companies of such magnitude as Kyivstar, to create separate communication channels for this, access to which only authorized employees will have access to. Well, as well as the company's participation in bug-bounty programs or creating your own, also has a positive effect on strengthening security services.
Source: https://habr.com/ru/post/305706/
All Articles