Gaming two-factor authentication systems with premium rate phone numbers can be very profitable – or it was until the flaws got reported.
Belgian security researcher Arne Swinnen noticed that the authentication systems used by Facebook-owned Instagram, Google and Microsoft allow access tokens to be received by a voice call as well as a text message. By linking accounts to a premium-rate phone number he controlled and could pocket money from, he was able to scam the three companies out of cash – in some cases potentially thousands of dollars a day.
"Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited concurrent calls to one premium number," he said. "The vulnerabilities were submitted to the respective Bug Bounty programs and properly resolved."
In the Microsoft case, he set up an Office 365 trial account and linked it back to a premium-rate number he owned. Redmond's servers will block authentication calls to a number after seven failed attempts to call it, but there were ways around that.
Swinnen found that by preceding the high-cost calling number with up to 18 zeros fooled the Office authentication system into making many more calls. Adding in a country code had the same effect, as did adding up to four digits at the end of the phone number string. All these techniques tricked Office into thinking it was calling new numbers rather than the same one over and over.
By writing a script to automate this process, a single premium rate number could yield €668,882 ($740,485) in call charges before the app refused to dial any more. To make matters worse, multiple accounts could be linked to the same phone number, meaning Swinnen could potentially have coined in one Euro in profit every minute.
After informing Microsoft of the flaw, the Office team quickly fixed the issue. The company gave Swinnen a $500 bug bounty, saying it would have been more but no customer data was stolen in the attack.
Facebook was rather more generous, giving Swinnen $2,000 after he found a similar method to sucker Instagram's authentication system into dialing up an expensive number. The authentication dialer is limited to one call every 30 seconds, and calls lasted just 17 seconds, but that still reaped €1.20 ($1.33) every 30 minutes.
In addition, Instagram has no problems having the same number linked to multiple accounts. So by setting up 100 accounts using the same premium-rate number, Swinnen could theoretically trouser €2,069,885 ($2,291,880) a year.
Google's authentication system proved the most resilient to this kind of attack, thanks to the system limiting itself to 10 calls an hour to a number for authentication. But it doesn't stop trying after a set number of calls, and by using a Python script and multiple accounts, Swinnen estimated he could have pulled in €432,000 ($478,332) a year.
"It looks like we have mitigations in place, and because of how the whole telco industry works, it's impossible to prevent it completely from happening. The attempt to exfiltrate the money would be stopped after a short time though, as we have the mitigations in place to detect it, so there's that," said Google in response to the findings.
"Because of the above, the panel decided not to reward this report financially (as we said, Google money loss for our process is less important than users' security). It qualified for the credit though – you'll appear in a Google Hall of Fame." ®