Saturday, November 22, 2014

Remove Required Portion of a Smartphone Data Plan

How to make a contract smartphone remove the required data plan using Faux-Ni-Phone Wireless’s website.
This hack is on a simple form for changing features in your cellular plan. Between the voice plan and data plan, there are so many options… and yet none, since they require you to have a data plan if you have a smart phone. Let’s see if this is enforced solely with client-side logic (hint: yes, it is). I'm going to go through the entire narrative of puzzling out how to do something like this. It's important to understand the thought process of a persistent attacker in order to plan against security issues.

Try #1 : Since one of the plans is selected by default in a group of radio buttons, let’s first find a way to deselect it, so that we simply don’t have to choose one to buy. Let’s try the easiest thing first. The typical selected=”false” on all the input elements didn’t work, so I move on. I’ll try again.

Try #2 : I change the values in the radio button that IS selected to dummy values, but it doesn’t update the total price. Fail. Hm. Apparently, changing the radio button state prompts it to change the total bill sum. Note that I’m not bothering to read the code that would confirm this, you can make some educated guesses based on the UI behavior. I’ll try again.

Try #3: I duplicate one of the input elements and then fill the values and id with dummy data, instead of sku0150033 or whatever it was. Then I select the dummy entry, and the bill is lowered! The data is no longer part of the total! However, when I go to check out, I get a message that ‘346456’ and ‘fasfsdgf’ do not exist in the system. Ok, so what DOES exist on the system? Apparently my keyboard smashing isn’t good enough since they’re doing some server-side validation, go figure. I never would have guessed by the quality of the rest of the site (which is forever breaking when exporting PDFs, or claiming permissions issues on links that disappear and reappear randomly - things like that). So,  as usual, I’ll try again.

Try #4: Anyway, I go back to the form, and restart fresh. I create a dummy input element like I did before, only this time I make my dummy data a little smarter. I assume that it’s checking the format sku + 7 digits, and accepts it directly from the UI (very dangerous: developers, never EVER do this). So, the new smart dummy data will be sku0000000. So I select my newly minted fake data plan, and checkout. The next page has no error! When it tells me to review my order, it doesn’t display anything so I figure something got pretty messed up (Well, really it says: ‘Please review your order and make sure everything looks correct.’ Well, it’s a blank box. Hmm. Yes, I decide that looks about right.) I hit continue. Then, there it is, all the final billing information – and the bill? Impossibly low, since it no longer includes the data plan! I get an email confirmation. Success!
I’m a white hat, I do not actually carry this out. I immediately cancel the order so that the company isn’t financially harmed. I never implement exploits that cause a business to lose money, no matter how outrageous it is that I can’t choose not to purchase and use part of my service. (Besides, it would be more useful to be the only phone with a data plan only and just stick with Google Voice, but ANYWAY, that’s a story for another day…)

So! What did we learn? Client side validation needs to be backed up with server-side validation, and not just for valid formats. The input should have bounds, only filtering the objects the user is allowed to select from.

I hope you enjoyed my new blogging format - I’m going to start listing my thought process instead of just the final result. Thanks for reading!