Reporter Muhammad Shahbaz
`Title: Telenor.com.pk Connect Account SMS PIN Redirection
Author: Muhammad Shahbaz
Telenor.com.pk Connect Account has a fundamental design flaw where the client can send a random telenor phone number during the second factor flow to receive SMS PIN with an arbitrary existing user and the server send the attacker the PIN for the user account.
Client can send a random telenor phone number during the SMS PIN verification flow and the server will send the PIN to that unauthorized phone number of the telenor connect user account:
“msisdn”, by sending from an existing user account with a random telenor phone number while requesting SMS PIN, the random telenor phone number will receive the SMS PIN.
Telenor.com.pk customer portal has a fundamental design flaw where the client can send a random telenor phone number during the second factor flow and the server will send the SMS PIN to that number.
This occurs when user requests the two factor SMS PIN from customer portal, mobile phone is being transferred from the client side of the customer portal and on the server side without any further authentication or verification it sends SMS PIN to that phone number of the given user account.
This is not very common vulnerability and its successful exploitation can bypass any user’s SMS second factor authentication to see customer mobile statements.
Even though I believe this is intended feature of the customer portal of https://www.telenor.com.pk. I strongly recommend investigating the issue manually to ensure it is a design flaw and that it needs to be addressed. You can also consider sending the details of this issue to us so I can address this issue for the next time and give you a more precise result.
Depending on the account, an attacker can bypass any user’s second factor SMS PIN authentication to see subscriber’s information:
* Balance check and Recharge
* Remaining usage of bundles
* Complete mobile usage details
Actions to Take:
SMS PIN verification on customer portal need to be redesign with fetching mobile phone number from server side rather than on client side and adding preventive measures.
Vulnerability was reported to the company on April 2, 2019.