Telenor.com.pk SMS 2-Factor Bypass

`Title: Telenor.com.pk Connect Account SMS PIN Redirection  
Author: Muhammad Shahbaz  
LinkedIn: https://www.linkedin.com/in/mr-muhammad-shahbaz/   
Found: 2019-04-01  
  
  
  
  
Attack Pattern:  
Telenor.com.pk Connect Account has a fundamental design flaw where the client can send a random telenor phone number during the second factor flow to receive SMS PIN with an arbitrary existing user and the server send the attacker the PIN for the user account.  
  
  
Client can send a random telenor phone number during the SMS PIN verification flow and the server will send the PIN to that unauthorized phone number of the telenor connect user account:  
  
  
#POST: https://www.telenor.com.pk/customer/account/sendMystatementsPin/  
  
  
msisdn:03XXXXXXXXX   
form_key:XXxxXXxxXXxxx  
resend:1  
  
  
  
  
Result:  
{"resent":1,"message":"  
Success:PIN re-sent.<\/span><\/div>"}  
  
  
  
  
Vulnerability Parameters:   
“msisdn”, by sending from an existing user account with a random telenor phone number while requesting SMS PIN, the random telenor phone number will receive the SMS PIN.  
  
Vulnerability Type:   
Design flaw  
  
Vulnerability Details:  
Telenor.com.pk customer portal has a fundamental design flaw where the client can send a random telenor phone number during the second factor flow and the server will send the SMS PIN to that number.   
  
  
This occurs when user requests the two factor SMS PIN from customer portal, mobile phone is being transferred from the client side of the customer portal and on the server side without any further authentication or verification it sends SMS PIN to that phone number of the given user account.  
  
This is not very common vulnerability and its successful exploitation can bypass any user’s SMS second factor authentication to see customer mobile statements.  
  
Even though I believe this is intended feature of the customer portal of https://www.telenor.com.pk. I strongly recommend investigating the issue manually to ensure it is a design flaw and that it needs to be addressed. You can also consider sending the details of this issue to us so I can address this issue for the next time and give you a more precise result.  
  
Impact:  
Depending on the account, an attacker can bypass any user’s second factor SMS PIN authentication to see subscriber’s information:  
* Balance check and Recharge  
* Remaining usage of bundles  
* Complete mobile usage details  
  
  
  
  
Actions to Take:  
SMS PIN verification on customer portal need to be redesign with fetching mobile phone number from server side rather than on client side and adding preventive measures.  
  
  
Vulnerability was reported to the company on April 2, 2019.  
`