Vulnerability Development mailing list archives

RE: Messenger Pro 3 from Clickatell.{Allows you to spoof Mobile Numbers}

From: <tlarholm () pivx com>
Date: Tue, 17 Feb 2004 11:50:32 -0800

The sender ID on SMS messages is very much like the From header in an
email message, it is arbitrary and can contain anything. Anyone in
possession of an SMS gateway can set the Sender ID to any alphanumeric
string, a fact which many telcos are already using to write service
names instead of service numbers ("new message from: Voicemail").

Clickatell has programmatic access to an SMS gateway and has extended
the level of trust on creating SMS headers to their users.

I can imagine that there would be a potential for injecting additional
SMS headers. Like most HTTP redirect scripts on the web, input
validation is likely to be scarce and if you know how to construct SMS
headers you could have fun with injecting strings such as
"+123456789\x10\x13Newheader: newvalue".

What is special about SMS messages is that your phone does not display
the routing information. If you receive an email message you at least
have the option to view the email headers and see where the email
originated.


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor () pivx com
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net> 
-----Original Message-----
From: Jignesh Ghaghada [mailto:jghaghada () treadsetters com] 
Sent: Tuesday, February 17, 2004 3:01 AM
To: vuln-dev () securityfocus com
Subject: Messenger Pro 3 from Clickatell.{Allows you to spoof Mobile
Numbers}




Messenger Pro 3 from Clickatell.com has a security issue which allows a
person to input any mobile number and send a txt message which can cause
problems. After installing the software you are able to login and get 5
free messages or credits. You can register as many times as you want
getting 5 credits after you have finished or used up your credits
allowing you to send multiple messages. Under the options tab of the
program there is an Extra setting which allows you to put in a Sender
Id:. under this option you can input any mobile number and send the text
which sends a txt message as showing it coming from someone else. I.E.
Spoofing.Example:

A No: +123456789
B No: +987654321
C No: +147258369

Let us say that you wanted to send a message to B but didnt want to show
your number but wanted C's No to appear you can input C's No and send
the message. {Spoofing}.

I am not quite versatile with explaining it in full detail but this is
all i can write.

Thanks

Jignesh Ghaghada

Current thread:

Messenger Pro 3 from Clickatell.{Allows you to spoof Mobile Numbers} Jignesh Ghaghada (Feb 17)
- RE: Messenger Pro 3 from Clickatell.{Allows you to spoof Mobile Numbers} AJ McKee (Feb 17)
- <Possible follow-ups>
- RE: Messenger Pro 3 from Clickatell.{Allows you to spoof Mobile Numbers} Razvan Dragomirescu (Feb 17)
- RE: Messenger Pro 3 from Clickatell.{Allows you to spoof Mobile Numbers} tlarholm (Feb 17)