Advertisements

 Vodafone.com XSS helps you trace unregistered "Pay As You Go" subscribers

Written by DP

Thursday, 27 May 2010

Web security researcher "PyskE" has submitted a critical cross-site scripting vulnerability (XSS) affecting Vodafone.com:

Vodafone.com XSS:

http://www.xssed.com/mirror/64488/

*UPDATE 28/05/2010*:  

Mystick has submitted a fresh XSS vulnerability on business.vodafone.com [XSS Mirror]

There are two possible exploitation scenarios:

Scenario #1 (The evil XSS attack)

A malicious user exploits the XSS vulnerability to display a fake survey form urging Vodafone subscribers worldwide to input sensitive personal and financial details. Furthemore, the issue could be exploited to infect site visitors and subscribers with malware, adware and spyware.

Scenario #2 (XSS is your friend in some occasions)

In many juristictions it is not mandatory to register your prepaid SIM card (Pay-As-You-Go). This allows people to use their mobile phones for nefarious purposes such as scams, pranks and miscellaneous illegal activities. Supposedly no one will know you are at the other end, unless you tell them.

If you are the victim and know the annoying Vodafone mobile phone number, you can become Vodafone by sending a masked SMS text message to the annoying subscriber, asking him to visit the XSS vulnerable survey page at Vodafone.com in order to confirm account details or take part in a competition. It is probable that the subscriber will visit the page and input details in the injected fake form. For greater persuasion potential, you can assign him with a fake unique id, supposedly required to successfully complete the survey.

Without XSS on Vodafone's web pages it will cost you a little to get information because the only option is to register SMS short code - highly persuasive option too!! :) *UPDATE 28/05/2010*:  The victim may look up your SMS short code number - "How can I tell who sent me a spam text or call?" - Help @ Vodafone UK

Screenshots for Scenario #2:

Vodafone sites have been XSSed in the past:

lab.vodafone.it XSS vulnerability notified by Darkc0ke
surveys.vodafone.com XSS vulnerability notified by PyskE
ajuda.vodafone.pt XSS vulnerability notified by isoz
dsl.vodafone.de XSS vulnerability notified by l3d
store.vodafone.it XSS vulnerability notified by DoMy94
shop.vodafone.de XSS vulnerability notified by TurKPoweR
service.vodafone.de XSS vulnerability notified by TurKPoweR
www.vodafone.al XSS vulnerability notified by xylitol
vic.vodafone.com.au XSS vulnerability notified by Agd_Scorp
lab.vodafone.it XSS vulnerability notified by Langy
www.vodafone.com XSS vulnerability notified by BackDoor
www.receiver.vodafone.com XSS vulnerability notified by www.r3t.n3t.nl
www.receiver.vodafone.com XSS vulnerability notified by www.r3t.n3t.nl
www.vodafone.com.tr XSS vulnerability notified by cyber
www.vodafonemusic.co.uk XSS vulnerability notified by Narcoticxs
dms1.vodafone.nl XSS vulnerability notified by cyber
www.vodafonelive.de XSS vulnerability notified by TotalSchaden
www.vodafone.gr XSS vulnerability notified by KaBuS
www.vodafone.com.tr XSS vulnerability notified by KaBuS
shop.vodafone.co.uk XSS vulnerability notified by Hexspirit


        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.