Phone numbers are enough to access user accounts on some mobile operator portals

Researcher reveals trivial authentication bypass vulnerability that could allow attackers to make purchases from mobile subscriber accounts

Attackers could impersonate legitimate mobile users on the Web portals many mobile operators use to sell content and services to their customers because of a security flaw in the sites, according to Bogdan Alecu, an independent security researcher from Romania.

The attacker only needs to know a user's phone number in order to exploit the vulnerability and buy games, ringtones, wallpapers or service subscriptions through the user's account on operators' WAP (Wireless Application Protocol) and Web portals, Alecu said.

The security researcher claims to have discovered the authentication bypass vulnerability in the websites of many mobile operators back in January.

The WAP and Web portals of 20 operators from Romania, Germany, Austria, Italy, France, Poland, the U.K., Brazil and the Netherlands were tested and around 15 of them were found to be vulnerable in one way or another, Alecu said.

The vulnerability stems from the fact that many such websites authenticate users automatically based on special HTTP headers sent by mobile browsers or added by the operator's proxy server when the phone's data connection is used.

Alecu found that he can gain access to another subscriber's online account by forcing his browser to send HTTP headers that contained that subscriber's phone number instead of his own. He calls this an HTTP headers pollution attack.

To test this attack, the researcher used Mozilla Firefox running on his laptop because Firefox has extensions that allow sending custom headers and spoofing the user-agent strings to masquerade as a mobile browser.

In some cases, for the attack to work, the browser had to be configured to use the mobile operator's proxy server, which is publicly known, before accessing its website, Alecu said.

Sometimes the attack worked using the computer's existent Internet connection. However, in other cases, launching a successful attack required buying a SIM card from the targeted operator, plugging it into a 3G modem and connecting the computer through that.

That's because some operators block access to their portals from IP addresses that are not from their own networks.

However, in the absence of a SIM card, this restriction can be bypassed by connecting through the legacy dial-up services known as Circuit Switched Data (CSD) still offered by some operators, Alecu said. The researcher first connected to a voice-over-IP service that supports caller ID spoofing and then called the operator's dial-up number to get on its network.

What can be done once you gain access to a user's account depends on what kind of services the targeted operator offers on its website, Alecu said.

In addition to buying premium rate content, some operators offer the ability to recharge a prepaid SIM card from a mobile user's online account. Other operators use separate accounts for such operations, that are protected by a username and password.

The portal of a mobile operator from China even allowed users to perform online banking transactions if they had a particular service enabled, the researcher said. That was probably the result of a partnership between the operator and a number of banks.

Another issue is that while some operators notify users of purchases made from their accounts via SMS, others don't, Alecu said. In the latter situation, users will probably only notice the fraudulent charges at the end of the month, when they appear on their monthly bill.

None of the tests performed while investigating this vulnerability resulted in actual fraud, Alecu said. The researcher claims to have used prepaid SIM cards that he bought from the operators in most of his tests.

However, obtaining prepaid SIM cards for operators from some countries can't easily be done over the Internet and requires a photo ID, Alecu said. In those cases, only the ability to access other accounts was tested, but no actions that could have resulted in those accounts being charged were performed, he said.

The security weakness was reported privately to operators back in March and many of them have already addressed it, Alecu said.

The researcher declined to publicly name any of the affected operators, saying that it's not his intention to discredit them. However, the GSM Association (GSMA), an organization that represents the interests of mobile operators worldwide, was notified and issued a security alert to its members, he said.

"The GSMA was notified of Bogdan Alecu's research in April 2012 by a GSMA member," GSMA spokeswoman Claire Cranton said Monday via email. "Shortly after this (April 20th) the GSMA notified its members of Mr. Alecu's research and provided a copy of his paper with a recommendation that GSMA members check their exposure to the reported vulnerability and we advised that the countermeasures recommended by Mr. Alecu be adopted if the vulnerability was found."

Alecu is satisfied with how promptly most operators handled the issue after being notified. This is in contrast to his experience from last year, when he reported a vulnerability in SIM Toolkits -- special applications programmed on SIM cards -- that he claims remains largely unfixed to this day.

That said, the researcher didn't know how many operators from around the world are still vulnerable to the new attack. For example, Alecu didn't manage to test the websites of any U.S. operators because he had difficulties obtaining prepaid SIM cards from them that had international data roaming enabled.

Not all of the notified operators entirely fixed the problem, Alecu said. For some of them, the dial-up attack method still works.

In addition, many operators have partnerships with third-party content providers and this attack might still work on the websites of those partners, he said.

Alecu presented his discovery in detail at the EUSecWest security conference in Amsterdam on Wednesday and hopes that other people will test which operators are affected and report their findings to them. He also advised concerned users to check if their own operators provide an option to disable access to premium-rate content.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts