Thread Reader
Corben Leo

Corben Leo
@hacker_

Nov 25
8 tweets
Twitter

I hacked a phone company earlier last year. I found a stupidly simple way to view the call logs of 50M customers. Here's how I did it:

1/ I've been in this bug bounty program for quite some time. I previously bought a phone plan so I could login and test functionality as an authenticated user. In the dashboard, there was a tab to view your call logs.
2/ The URL contained a parameter called "subscriberId". It contained a numerical ID, so obviously I tried to change it to another users. Unfortunately, it didn't work.
3/ After spidering the site with Burp, I eventually came across an old Javascript file. This javascript contained a reference to a JSP file with a name that indicated similar functionality: "/myaccount/modals/view_call_log_details_modal.jsp"
4/ So, I visited the endpoint: ███.com/myaccount/moda… The page loaded, and in the response I saw my call logs: Hm. What happens if I try to change the subscriberId to someone else's here?
5/ I tried again, with another person's ID: It actually worked. 🤦🏻‍♂️ An incredibly stupid, simple vulnerability affecting 50M+ customers. Insane
6/ I eventually found 5 other similar issues that leaked: • Customer names, phone numbers • Payment details (cards, amounts, dates of payments) • Etc. I reported them all to their bug bounty program and they duplicated them into one report and eventually fixed the issues.
7/ I'm still blown away that such simple, stupid vulnerabilities exist. twitter.com/hacker_/status…
I hacked a phone company earlier last year. I found a stupidly simple way to view the call logs of 50M customers. Here's how I did it:
Corben Leo

Corben Leo

@hacker_
I hack stuff (legally). | building. | hacking stories: https://t.co/4Dncl4cK15 | https://t.co/NjZowbkDkP
Follow on Twitter
Missing some tweets in this thread? Or failed to load images or videos? You can try to .