Abhishek Parolkar's Old Blog

"The future is not to predict it is to be designed..." Let me imagine the best design for it.

Monday, July 30, 2007

Developer's ignorance allows visitors to send free SMS all over india

UPDATE: This problem was resolved the next day after I informed the MD of the service company

This morning, I was wondering what would be the worst consequence of a mistake made by a software architect, perhaps it is to give access to SMS/telephony server due to poor developer coding. I see lot of web2.0 apps around, trying to make best out of javascript to give new functionalities. In my view, many of the solution architects just try to fit conventional application model to web2.0 apps. The next generation web 2.0 apps need lot of thinking when it comes to "communication" and "security". I am surprised , few developers still make silly mistakes due to ignorance which may cost alot to the company. An hour back, I was too disappointed to discover a flaw in the application of india's famous directory service, JustDial. This company has been successfully providing directory service from very long time. Their website, www.justdial.com, allows visitors to search locations/people/products all across india. Visitors can search an item and then choose to recieve details via SMS on mobile. As I am a web 2.0 technologist, and have been working on "communication" and "security" aspects, I just gave a closer look to this service and figured out the weak aspects of communication. Exploiting the flaws (just for experiment) , I could write a shell script for sending bulk messages to my friends and surprised them. As I explored, homepage of this website submits the search keywords , city & searchtype to the server and ,in return, obtains a unique php session id (which has very small timeouts set on server) along with search results. But the worst part is, result also contains certain hidden fields which stores preformated sms text which can be sent back with users phone / email id. When user choose to send an email , his/her phone/email is asked, on submit sms text also travels back with phone number and email id. The key element of entire client/server communication is the hidden form element named 'sinfo'. Hence if you trap this communication in between and change sms text and format it accordingly you can send custom messages to anybody and not just that, if you are developer like me, just write a shell script and you can be sending timed bulk sms messages. Though, I am not going to discuss idea of writing shell script here (I respect justdial service), You can follow these steps to test above flaw and send message to anybody across india.

1.) Open http://search.justdial.com/ in your web browser (I use firefox).
2.) select a city and enter your search keywords and press enter (I selected Bangalore, searched "masala dosa")
3.) you will get category of products , select one (I clicked "Pan Masala")
4.) you will see list of contacts along with "Send to Mobile/Email" click this link.
5.) you will now see a dialog asking phone number / email id, but before you enter your details read next point..
6.) Copy below given script to browser's address bar and press enter (ofcourse, everything will come in 1 line) , you will be asked the mesg you want to send.

javascript:alert("Successfully encoded sms :"+(document.smsAlert.smsDet.value = "0800000000#!#!#080g007006#!#!#"+prompt('your message')+"#!#!#G#!#!#A#!#!#A#!#!# #!#!# #!#!#560032#!#!#Bangalore#!#!##!#!#+(91)-0#!#!##!#!##!#!#spam@sms.ip6.in#!#!#"));

7.) now just enter the recipient's mobile number and press "send now"

Thats it, You have sent a free sms. Well, I am sure developer of this service will really get hurt to know this flaw, I too feel bad for this, but the point I want to make is that we got to evolve some solid technology foundation that should help web developers design better systems in next generation web.

Labels: , , ,