Microsoft patches GroupMe 'full account' hijack hole

Researcher rates Redmond after rapid responds to rathole reveal in Group TXTing app

1 Reg comments Got Tips?

Microsoft has patched a simple 'full-account takeover' flaw in its popular iOS and Android messaging client GroupMe.

The app once described as "utterly indispensable" had of 2012 processed a whopping 550 million messages a month, and was downloaded 76,000 times from Google's Play Store.

New York hacker Dylan Saccomanni said in a post the service's iOS app contained a flaw allowing account take over for any targeted number.

"A critical vulnerability related to mobile phone SMS verification in the iOS application allowed for account takeover provided you knew your target's phone number," Saccomanni said.

"Knowing just the phone number, you could take over their account entirely while simultaneously resetting their password and email address."

The good news is that Microsoft responded swiftly to Saccomanni's August 28th notification of the flaw with an update to the app issued on September 17th.

"The GroupMe team was excellent and very responsive; they maintained close contact throughout the process ... would report again," Saccomanni chuffed.

The flaw affected the app's "verify a different phone number" option in versions 4.4.4 (the then latest) and older.

Attackers would enter their email address into the app but choose to register a victims' number already in use. The flawed app failed to boot attackers back to a login screen and from there a four digit second factor SMS token could be brute-forced with simple scripts.

Bad guys could change a victim's name, password, and email address but not phone number, without generating alerts.

Saccomanni said that "... combined with complete account takeover made this vulnerability very dangerous."

He said there was no evidence attackers had exploited the flaw. ®


Biting the hand that feeds IT © 1998–2020