Website SMS registration security worry
Many websites have provided SMS registration features. Users can enjoy the various charges (or free, very few) SMS information services provided by the website as long as they are registered. Of course, the process of registration is free and fast, but I have found that many websites have omitted some important steps when providing user registration, causing serious safety hazards. See what this is the registration procedure provided by a website, it is really "fast"!
Analyze the source code of this page (submit the form part):
Readers who are familiar with the form of forms should be able to understand what I will send to the server when I submit the form: I will submit a form to the server using the POST method of the HTTP protocol. The server program for this form is an ASP program, submitted data There are only two, phone numbers, and confirmation (there may be additional cookie information in the HTTP header). Without any other auxiliary authentication means, you can enter a mobile phone number, then you can send a text message to this mobile phone number.
Now I want to use a program, which uses a program that sends an HTTP POST message to this server, then submit enough data to send SMS, then this server will send a text message to the specified number. . If I build a database, there are more than 100 server addresses and data that can send SMS, then I repeat this operation 1000 times (or even more), all SMS is sent to a mobile phone! The user will receive a few thousand or even 10,000 messages, can his mobile phone still use? !
Don't think this is impossible, I'm easy to search online, I found that many websites registered SMS is to register in this unusual way. I record some of these established a small database and then write a call to this database to issue a short message program. (The screenshot of the program interface is as follows :)
The specified number received a lot of spam messages in a short time!
If my database is big enough, then the situation will be even more bad!
The reason for this program is nothing more than some registered websites in registration, do not do strict detection control, making mechanical procedures to do such things!
It is hoped that the mobile operators require the website to provide a more strict testing measures when allowing the website to provide similar services! For example, this kind of authentication method that must be entered with the verification code can make this
Animation attack (choose Sina's SMS registration page, Sina has copyright)!
I hope that everyone can contact me or ask me to request the attack program and source code.
(Tigger_211@sina.com)
