User enumeration, weak temporary password and broken brute force protection
allows to take over any customer account at mano.tele2.lt
.
The mobile application “Mano Tele2” is using API server at api.tele2.lt
.
As an additional security layer another authorization server is involved:
appwscapi.tele2.lt
.
To register an account, users receive an SMS with 4-digit numeric code.
To reset a password, a user needs 4-digit numeric temporary code.
The temporary code expires in about 30 minutes.
4-digit numeric-only temporary code has 10000 different combinations. As a mobile internet user being pretty close to the server, the code check rate has more than 20 codes per second speed. Which means that an attacker only needs 500 seconds to brute force the full key space. Which is less than the hardcoded temp code life time - 30 minutes.
HTTP/1.1 500 Internal Server Error
Content-Type: application/json; charset=utf-8
Content-Length: 94
{
"ErrorType": "WebApi.TempPassword",
"ErrorMessage": "Temp password resend cooldown not expired"
}
By enumerating MSISDN with password recovery endpoint it is possible to check if the user has an account or not:
HTTP/1.1 500 Internal Server Error
Content-Type: application/json; charset=utf-8
Content-Length: 152
{
"ErrorType": "WebApi.UserNotExists",
"ErrorMessage": "Provided MSISDN is not registered in selfcare. API client should direct user to registration flow."
}
In case of a valid user, the api gives this response:
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Content-Length: 113
{
"error": "WebApi.ResourceOwnerCredentials.Error.InvalidPassword",
"error_description": "Neteisingas slaptažodis."
}
The API has implemented brute force protection by limiting temp code check attempts:
HTTP/1.1 500 Internal Server Error
Content-Type: application/json; charset=utf-8
Content-Length: 195
{
"ErrorType": "WebApi.TooManyTempPasswordAttempts",
"ErrorMessage": "Neteisingai įved�te laikin� slaptožodį per daug kartų. Prad�kite slaptažodžio priminim� arba registracij� iš naujo."
}
However, it turned out, that the temp password is still being checked, and if you supply a valid password after XXX tries - the system will accept it.
In order to successfully take over any account, an attacker needs:
- Enumerate all possible MSISDN registered at self-service
- For each found number issue a temporary password recovery code
- Brute force 4-digit temporary code and change the password
- Access the account with the new password
- 2020-03-08 - initial discovery and proof of concept
- 2020-03-09 - contacted Tele2 and provided all the details
- 2020-03-10 - Tele2 confirmed everything was fixed in prod
- 2020-05-10 - full disclosure