Phone numbers are enough to access user accounts on some mobile operator portals

Researcher reveals trivial authentication bypass vulnerability that could allow attackers to make purchases from mobile subscriber accounts

Attackers could impersonate legitimate mobile users on the Web portals many mobile operators use to sell content and services to their customers because of a security flaw in the sites, according to Bogdan Alecu, an independent security researcher from Romania.

The attacker only needs to know a user's phone number in order to exploit the vulnerability and buy games, ringtones, wallpapers or service subscriptions through the user's account on operators' WAP (Wireless Application Protocol) and Web portals, Alecu said.

The security researcher claims to have discovered the authentication bypass vulnerability in the websites of many mobile operators back in January.

The WAP and Web portals of 20 operators from Romania, Germany, Austria, Italy, France, Poland, the U.K., Brazil and the Netherlands were tested and around 15 of them were found to be vulnerable in one way or another, Alecu said.

The vulnerability stems from the fact that many such websites authenticate users automatically based on special HTTP headers sent by mobile browsers or added by the operator's proxy server when the phone's data connection is used.

Alecu found that he can gain access to another subscriber's online account by forcing his browser to send HTTP headers that contained that subscriber's phone number instead of his own. He calls this an HTTP headers pollution attack.

To test this attack, the researcher used Mozilla Firefox running on his laptop because Firefox has extensions that allow sending custom headers and spoofing the user-agent strings to masquerade as a mobile browser.

In some cases, for the attack to work, the browser had to be configured to use the mobile operator's proxy server, which is publicly known, before accessing its website, Alecu said.

Sometimes the attack worked using the computer's existent Internet connection. However, in other cases, launching a successful attack required buying a SIM card from the targeted operator, plugging it into a 3G modem and connecting the computer through that.

That's because some operators block access to their portals from IP addresses that are not from their own networks.

However, in the absence of a SIM card, this restriction can be bypassed by connecting through the legacy dial-up services known as Circuit Switched Data (CSD) still offered by some operators, Alecu said. The researcher first connected to a voice-over-IP service that supports caller ID spoofing and then called the operator's dial-up number to get on its network.

What can be done once you gain access to a user's account depends on what kind of services the targeted operator offers on its website, Alecu said.

In addition to buying premium rate content, some operators offer the ability to recharge a prepaid SIM card from a mobile user's online account. Other operators use separate accounts for such operations, that are protected by a username and password.

The portal of a mobile operator from China even allowed users to perform online banking transactions if they had a particular service enabled, the researcher said. That was probably the result of a partnership between the operator and a number of banks.

Another issue is that while some operators notify users of purchases made from their accounts via SMS, others don't, Alecu said. In the latter situation, users will probably only notice the fraudulent charges at the end of the month, when they appear on their monthly bill.

None of the tests performed while investigating this vulnerability resulted in actual fraud, Alecu said. The researcher claims to have used prepaid SIM cards that he bought from the operators in most of his tests.

However, obtaining prepaid SIM cards for operators from some countries can't easily be done over the Internet and requires a photo ID, Alecu said. In those cases, only the ability to access other accounts was tested, but no actions that could have resulted in those accounts being charged were performed, he said.

The security weakness was reported privately to operators back in March and many of them have already addressed it, Alecu said.

The researcher declined to publicly name any of the affected operators, saying that it's not his intention to discredit them. However, the GSM Association (GSMA), an organization that represents the interests of mobile operators worldwide, was notified and issued a security alert to its members, he said.

"The GSMA was notified of Bogdan Alecu's research in April 2012 by a GSMA member," GSMA spokeswoman Claire Cranton said Monday via email. "Shortly after this (April 20th) the GSMA notified its members of Mr. Alecu's research and provided a copy of his paper with a recommendation that GSMA members check their exposure to the reported vulnerability and we advised that the countermeasures recommended by Mr. Alecu be adopted if the vulnerability was found."

Alecu is satisfied with how promptly most operators handled the issue after being notified. This is in contrast to his experience from last year, when he reported a vulnerability in SIM Toolkits -- special applications programmed on SIM cards -- that he claims remains largely unfixed to this day.

That said, the researcher didn't know how many operators from around the world are still vulnerable to the new attack. For example, Alecu didn't manage to test the websites of any U.S. operators because he had difficulties obtaining prepaid SIM cards from them that had international data roaming enabled.

Not all of the notified operators entirely fixed the problem, Alecu said. For some of them, the dial-up attack method still works.

In addition, many operators have partnerships with third-party content providers and this attack might still work on the websites of those partners, he said.

Alecu presented his discovery in detail at the EUSecWest security conference in Amsterdam on Wednesday and hopes that other people will test which operators are affected and report their findings to them. He also advised concerned users to check if their own operators provide an option to disable access to premium-rate content.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?