Stealing Money from ISPs Through Premium Rate Calls
I think the best hacks are the ones that are obvious once they're explained, but no one has thought of them before. Here's an example:
Instagram ($2000), Google ($0) and Microsoft ($500) were vulnerable to direct money theft via premium phone number calls. They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP/... . Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited concurrent calls to one premium number. The vulnerabilities were submitted to the respective Bug Bounty programs and properly resolved.
Posted on July 19, 2016 at 6:21 AM • 13 Comments