Improper handling of the SMS sending interface will be exploited into the SMS bombing Tool
Ding !... "Notification Information: Verification Code (8694), used for verification (valid within 15 minutes )......"
I believe that you are familiar with such text messages. Many companies require mobile phone numbers for text message verification to verify the authenticity of users. However, if the SMS sending interface is not handled properly, it will be used as a tool for text message bombing.
You can learn about the following events:
The IX bee APP found a vulnerability in handling incorrect text message interfaces on bigo daniu. It was maliciously exploited to make a text message bombing tool and sent verification text messages to bomb users, tens of thousands of text messages were lost until the official discovery of IX bee.
There are also a few vulnerabilities related to SMS bombing on major security platforms. According to the information provided by bigo daniu's security operations, such vulnerabilities are common, but they have not been paid much attention to and are not fixed. Once the vulnerability is exploited maliciously, it will waste enterprises' Short Message Resources and cause severe harassment to users.
--------------------------------------------------- I am a split line --------------------------------------------------
SMS bombing is a vulnerability that is not restricted by the company's SMS sending interface. You can send verification text messages to the target mobile phone number multiple times or within a short period of time to bomb and harass the system; at the same time, enterprises also waste a lot of available short message resources.
[Method of exploits]
1. Discover the short message interface, the better the effect with fewer restrictions;
2. packet capture. Common packet capture software include wireshark, fiddler, and httpwatcher;
3. POST, submit the written content, and send a simple text message;
4. submit them in batches to form the bombing effect.
Sample Code for exploits:
SendMsg ('Enter the phone number to be bombed here ');
Function sendMsg (phone ){
Var urls = [
'Enter the SMS interface' + phone'
];
For (var I in urls ){
New Image (). src = urls [I];
}
}
Set the first line of code as the phone number to be bombed and the fourth line of code as the SMS call interface, and copy all the strings to the F12 Console of the browser for execution.
Note: The above code is only used for technical research! Please do not use it for any illegal purposes!
[Hazards]
1. For individuals: a large number of useless text messages are received within a short period of time, resulting in interference;
2. For enterprises: Once a vulnerability is maliciously exploited and sent in large quantities, it will cause economic losses.
[Vulnerability repair]
1. The same mobile phone number can be sent for a limited period of time. For example, if the number is sent five times a day, the user experience can be considered comprehensively;
2. Set a more complete verification code mechanism.
With the rise of the mobile Internet, the number of mobile app vulnerability attacks has increased. Bigo daniu is determined to improve mobile Internet information security and provides a research platform for mobile Internet information security researchers to collect android system and android Application vulnerabilities for a paid amount, welcome to the white hat professionals to exchange and learn and work together for information security!