Security concerns about website text message Registration

Security concerns about website text message Registration

Currently, many websites provide the text message registration function. Users only need to register, they can enjoy the various paid (or free, rarely) text message services provided by the website. Of course, the registration process is free and fast, but I find that many websites omit some important steps when providing user registration, resulting in serious security risks. Let's take a look at the registration procedure provided by a website. It's "quick!

Analyze the source code of the webpage (submit form ):

Readers familiar with form operations should be able to understand what will be sent to the server when I submit a form: Use the HTTP POST method to submit a form to the server, the server program that processes this form is an ASP program. The submitted data has only two phone numbers, and confirmation (there may be additional cookie information in the HTTP header ). Without any other auxiliary authentication means, you can enter a mobile phone number and then send a text message to the mobile phone number.

Now let's imagine this: I use a program that sends an HTTP POST message to this server instead of me, and then submits enough data that it needs to send text messages, the server sends a text message to the mobile phone number. If I create a database with hundreds of server addresses and data that can send text messages, I repeat this operation 1000 times (or even more ), all text messages are sent to one mobile phone! The user will receive thousands or even tens of thousands of text messages at once. Can he still use his mobile phone ?!

Don't think this is impossible. I searched the internet easily and found that many website registration text messages were registered in such a less rigorous manner. I recorded some of them and created a small database, and then compiled a program to call this database to send short messages. (The program interface is as follows :)

 

The specified number receives a large number of spam messages in a short time!

If my database is large enough, the situation will be worse!

The reason for this kind of program is that some registered websites are easy to figure during registration without strict detection control, so that mechanical programs can do this!

We hope that mobile operators require the website to provide more rigorous detection measures when allowing websites to provide similar services! For example, if the following authentication method must be entered

Attacks cannot be solved (SINA's text message registration page is selected, and Sina owns the picture copyright )!

 

I hope you can contact me via mail or ask me for the attack program and source code.

Tigger_211@sina.com)