Attacking DTAC’s MMS System Via Cross Site Scripting

DTAC is the second largest GSM mobile phone provider in Thailand. It’s pretty sad that the company itself doesn’t really care much about its security.  There are multiple cross-site scripting vulnerabilities and poor authentications.  There’s one vulnerability I would like to talk about and that is the stored xss vulnerability located in the MMS system.

What can you do with this vulnerability?
You can simply send a normal MMS and wait until the victim views it. Once viewed, the malicious javascript injected will be executed. Due to the poor coding, the “login-ed” user’s phone number and password will be hidden in the html source. You can basically grab the user’s info via basic javascript like GetElementsByName. This vulnerability will basically allow you to view other people’s MMS if exploited correctly.

How to attack?
After some testings, I found out that the name of the multimedia attached in the MMS is not sanitized properly. This makes attacking via XSS possible.
Simply rename the multimedia file with the xss payload. For example, if it’s an image file rename it to
<img src=x onerror=alert(1)>. Then just send it normally just like how you would send a normal MMS. Your payload will be executed once the message is viewed.
dtacmms1 dtacmms2 Screen Shot 2014-02-01 at 8.57.02 pm
Screen Shot 2014-02-01 at 10.58.02 pmScreen Shot 2014-02-01 at 10.53.26 pm
THAI version of this article may be found here: https://www.facebook.com/groups/2600Thailand/permalink/256269531199749/