You shouldn’t: free sms, random identity theft and sms DoS attack

Interesting title right? Well let’s start from the beginning. I love free services and I don’t mind if they come with advertisements if it’s worth it. What I don’t like is yet another free service quickly made with as much care for security as a chain smoker on the Hindenburg Zeppelin.

I’ve send them a mail on 7 December 2011 and they haven’t replied. So I did warn them.

Now the fun part!

At http://www.jaxtrsms.com they explain how it works:

How does it work?
Use JaxtrSMS to send and receive messages with any other mobile phone in the world.*

1. Recipient does not have to be a user
2. Send a text message to any other mobile phone, domestic or international.*
3. Use your own phone number

Use JaxtrSMS to send and receive messages with any other mobile phone in the world.*

*Jaxtr to Jaxtr messages and Jaxtr to India messages are FREE!

So how does it work? Well you download and install the app, enter a lot of details they don’t need and your number.
Then you get an sms with a link, you click the link and your account is active.
When you send an sms with the app it uses http on the background to send the message.
Of course everything is safely coded so this cannot be abused.
Oh wait! It isn’t, by decompiling the app or by sniffing the network we can see that everything is send in plain text.


https://register.jaxtrsms.com/sabsethinjaxtrsms/register?apikey=31326e536e65&context=31123456789&format=json&fname=John&lname=Doe&countrycode=31&family=J2ME-Lite&firmware=MPP&version=2.00.06&time=2011-12-8&verificationsms=false

context=31123456789 –  is the number, including countrycode.
countrycode=31 – well that is just to obvious to explain.

Go ahead, fill in your number and countrycode and see what happens.
One annoying sms. that can’t hurt anyone, right? True, unless someone would load that url a few thousand times.
Like if your F5 button got stuck, by accident of course.😛
And there you go, Denial of Service because when most phones get more than thousands sms/minute they just call it a day and quit.

But now you wonder, what about the free sms?

Well when you registered the first (or thousands) time you get a reply. Somewhere in there is a “uuid”. Copy that number.


https://sendmessage.jaxtrsms.com/sabsethinjaxtrsms/sendshorttextmessage?apikey=31326e536e65&dest=3198716164!&shortmessage=spam&format=json&uuid=12345678987654321

dest=3198716164 – phone number with countrycode.
shortmessage=spam –  that is your message.
uuid=12345678987654321 – that number you copied.

That will work without any problem if you’re sending to another jaxtrsms user or someone in India.

But any other numbers will cost you or some random stranger money.
Random stranger? Yes.

If you paid attention during those thousands of registration requests you might notice that the uuid increments with a small random interval.

So if you loop the send sms url and decrement the uuid you’ll keep getting:

{"response":{"text":"You are not a verified user. If you think this is an error, please send an email to support@jaxtrsms.com","status":411}}

Then suddenly you get something else. You bastard! You just stole someone’s credit!
(and also their identity since their number will be the sender.)

With a few days patience you could loop trough them all, and send a sms to your own phone and so map the uuid to phone numbers.
Then you got a big fat database with peoples phone numbers and loads of ways to abuse them.

And that is why I hate bad security.


5 Comments on “You shouldn’t: free sms, random identity theft and sms DoS attack”

  1. galgalesh says:

    That’s why you should respond to your emails..🙂

  2. Bramus! says:

    Registration URL has a “&verificationsms=false” param. Sure that’s correct?

  3. qwaxys says:

    Well it’s a useless parameter if you ask me, it works both with true or false.
    Thought while intercepting traffic that is what showed up in the logs.
    Tested on:
    – Nokia 6234
    – PSP (with emulator)
    – Nokia 5530 XpressMusic
    With SIM cards from the Netherlands, Turkey, France and Germany.

  4. Bill Carson says:

    In a perhaps more interesting question: what would be the easiest way for jaxtrsms to solve these issues? Using longer, more random identifiers should probably limit the second issue, but the first seems more difficult to circumvent (assuming most of your users will be behind a CGNAT).


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s