FDEU-CVE-2020-03081

Summary

User enumeration, weak temporary password and broken brute force protection allows to take over any customer account at mano.tele2.lt.

Tech details

The mobile application “Mano Tele2” is using API server at api.tele2.lt. As an additional security layer another authorization server is involved: appwscapi.tele2.lt. To register an account, users receive an SMS with 4-digit numeric code. To reset a password, a user needs 4-digit numeric temporary code. The temporary code expires in about 30 minutes.

Vulnerabilities

Weak temporary code

4-digit numeric-only temporary code has 10000 different combinations. As a mobile internet user being pretty close to the server, the code check rate has more than 20 codes per second speed. Which means that an attacker only needs 500 seconds to brute force the full key space. Which is less than the hardcoded temp code life time - 30 minutes.

HTTP/1.1 500 Internal Server Error
Content-Type: application/json; charset=utf-8
Content-Length: 94

{
  "ErrorType": "WebApi.TempPassword",
  "ErrorMessage": "Temp password resend cooldown not expired"
}

User enumeration

By enumerating MSISDN with password recovery endpoint it is possible to check if the user has an account or not:

HTTP/1.1 500 Internal Server Error
Content-Type: application/json; charset=utf-8
Content-Length: 152

{
  "ErrorType": "WebApi.UserNotExists",
  "ErrorMessage": "Provided MSISDN is not registered in selfcare. API client should direct user to registration flow."
}

In case of a valid user, the api gives this response:

HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Content-Length: 113

{
  "error": "WebApi.ResourceOwnerCredentials.Error.InvalidPassword",
  "error_description": "Neteisingas slaptažodis."
}

Broken brute force protection

The API has implemented brute force protection by limiting temp code check attempts:

HTTP/1.1 500 Internal Server Error
Content-Type: application/json; charset=utf-8
Content-Length: 195

{
  "ErrorType": "WebApi.TooManyTempPasswordAttempts",
  "ErrorMessage": "Neteisingai įvedėte laikiną slaptožodį per daug kartų. Pradėkite slaptažodžio priminimą arba registraciją iš naujo."
}

However, it turned out, that the temp password is still being checked, and if you supply a valid password after XXX tries - the system will accept it.

Account takeover

In order to successfully take over any account, an attacker needs:

• Enumerate all possible MSISDN registered at self-service
• For each found number issue a temporary password recovery code
• Brute force 4-digit temporary code and change the password
• Access the account with the new password

Timeline

• 2020-03-08 - initial discovery and proof of concept
• 2020-03-09 - contacted Tele2 and provided all the details
• 2020-03-10 - Tele2 confirmed everything was fixed in prod
• 2020-05-10 - full disclosure