Vulnerability Development mailing list archives
RE: Messenger Pro 3 from Clickatell.{Allows you to spoof Mobile Numbers}
From: <tlarholm () pivx com>
Date: Tue, 17 Feb 2004 11:50:32 -0800
The sender ID on SMS messages is very much like the From header in an email message, it is arbitrary and can contain anything. Anyone in possession of an SMS gateway can set the Sender ID to any alphanumeric string, a fact which many telcos are already using to write service names instead of service numbers ("new message from: Voicemail"). Clickatell has programmatic access to an SMS gateway and has extended the level of trust on creating SMS headers to their users. I can imagine that there would be a potential for injecting additional SMS headers. Like most HTTP redirect scripts on the web, input validation is likely to be scarce and if you know how to construct SMS headers you could have fun with injecting strings such as "+123456789\x10\x13Newheader: newvalue". What is special about SMS messages is that your phone does not display the routing information. If you receive an email message you at least have the option to view the email headers and see where the email originated. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor () pivx com Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net> -----Original Message----- From: Jignesh Ghaghada [mailto:jghaghada () treadsetters com] Sent: Tuesday, February 17, 2004 3:01 AM To: vuln-dev () securityfocus com Subject: Messenger Pro 3 from Clickatell.{Allows you to spoof Mobile Numbers} Messenger Pro 3 from Clickatell.com has a security issue which allows a person to input any mobile number and send a txt message which can cause problems. After installing the software you are able to login and get 5 free messages or credits. You can register as many times as you want getting 5 credits after you have finished or used up your credits allowing you to send multiple messages. Under the options tab of the program there is an Extra setting which allows you to put in a Sender Id:. under this option you can input any mobile number and send the text which sends a txt message as showing it coming from someone else. I.E. Spoofing.Example: A No: +123456789 B No: +987654321 C No: +147258369 Let us say that you wanted to send a message to B but didnt want to show your number but wanted C's No to appear you can input C's No and send the message. {Spoofing}. I am not quite versatile with explaining it in full detail but this is all i can write. Thanks Jignesh Ghaghada
Current thread:
- Messenger Pro 3 from Clickatell.{Allows you to spoof Mobile Numbers} Jignesh Ghaghada (Feb 17)
- RE: Messenger Pro 3 from Clickatell.{Allows you to spoof Mobile Numbers} AJ McKee (Feb 17)
- <Possible follow-ups>
- RE: Messenger Pro 3 from Clickatell.{Allows you to spoof Mobile Numbers} Razvan Dragomirescu (Feb 17)
- RE: Messenger Pro 3 from Clickatell.{Allows you to spoof Mobile Numbers} tlarholm (Feb 17)