DTAC is the second largest GSM mobile phone provider in Thailand. It’s pretty sad that the company itself doesn’t really care much about its security. There are multiple cross-site scripting vulnerabilities and poor authentications. There’s one vulnerability I would like to talk about and that is the stored xss vulnerability located in the MMS system.
What can you do with this vulnerability?
How to attack?
After some testings, I found out that the name of the multimedia attached in the MMS is not sanitized properly. This makes attacking via XSS possible.
Simply rename the multimedia file with the xss payload. For example, if it’s an image file rename it to
<img src=x onerror=alert(1)>. Then just send it normally just like how you would send a normal MMS. Your payload will be executed once the message is viewed.
THAI version of this article may be found here: https://www.facebook.com/groups/2600Thailand/permalink/256269531199749/