Verizon late last year patched a vulnerability in its Message+ messaging client that could have allowed an attacker to take over a session and possibly extend their reach into a user’s account management settings.
Researcher Randy Westergren yesterday disclosed some details on the bug, which could be attacked through the desktop client via a crafted SMS message. The vulnerability was privately disclosed in November and patched three weeks later on Dec. 9.
“Anyone using the web client could easily be targeted with a payload,” Westergren said. Users, the researcher said, would not have to click on an attacker’s link; simply viewing the message could be enough to trigger the vulnerability. “An attacker could take over the session and it would allow anything within the web client.”
Westergren said the vulnerability was a combination of a persistent and DOM-based cross-site scripting flaw. The client, Westergren said, failed to properly encode single-quote characters.
“By not encoding those, and by building an HTML block with single quotes, allows me to close out one of those attributes and start my own,” Westergren said. Doing so, an attacker would be able to send and receive SMS messages on behalf of the victim, exposing them a number of premium SMS scams and privacy issues.
“The attacker would be taking over the session for your Verizon Wireless account,” Westergren said. “I didn’t test it, but I’m pretty sure you could move throughout the other offerings through Verizon Wireless because the cookies in the session are valid. Presumably, you could move to other management pages within Verizon Wireless.”
Westergren, a Verizon customer, said he started investigating the app by sending himself a few links that he looked at through the web app. Any HTML, he said, was parsed serer side and returned the URL’s Open Graph properties, which are used in the UI’s preview elements. The image URL shown in the preview, he said, is a proxied image returned by Verizon’s servers.
“This is generally a good move to maintain more control over the images rendered in the user’s browser,” he wrote in a report published Sunday.
Westergren checked again for DOM XSS vulnerabilities, adding special characters to the links he texted to himself to examine how the web app would render them. According to OWASP, DOM-based XSS is an attack that modifies the DOM environment in the browser used by the original client-side script. The HTTP response would not change, but client-side code would execute differently than expected.
“After sending some single quotes included in the querystring of a test URL, I immediately noticed I was able to break out of the HREF attribute in the main anchor element,” he wrote.
He said Verizon addressed the issue by using the DOM API to build the elements properly, whereas before it was concatenating strings, known unsafe behavior.
This was a combination of a persistent cross-site scripting bug with DOM cross-site scripting, he said, adding that a user could be infected even if they’d logged in after the crafted SMS was sent.
Westergren has disclosed other Verizon-related vulnerabilities in the past. In May 2016, he found an insecure direct object references vulnerability in Verizon.net email accounts that affected any of the company’s seven million FIOS subscribers. This was the second email bug he was credited with finding after a January 2015 disclosure of an issue in the FIOS mobile app that allowed access to any Verizon email account.