Some account options deployed by Instagram, Google and Microsoft can be misused to steal money from the companies by making them place phone calls to premium rate numbers, security researcher Arne Swinnen has demonstrated.
Swinnen has taken advantage of Instagram‘s option to link a mobile phone number to an account in order to earn money. After several unsuccessful SMS requests from Instagram to verify the link by using a token, the service will place a call that lasts some 17 seconds to the number.
Instagram didn’t notice the real nature of the provided number, nor did it notice when the same number was provided/tied with 100 Instagram accounts. The service did limit how often the call could be replayed (once every 30 seconds), but they could be easily scheduled to happen with such a pause in between.
Facebook fixed the problem by adjusting rate limits and putting additional monitoring in place. They awarded Swinnen $2000 for his efforts.
Microsoft could have been fleeced by providing a premium call number when one is setting up a trial registration for Office 365.
Several protection techniques, such as blocking a number after seven failed registration attempts, could have been easily bypassed by adding digits before or after the submitted phone numbers, and Microsoft also allowed concurrent calls to the same premium number.
He got only $500 for his findings, because the vulnerability did not put customer’s data at risk. “We always want to encourage researchers to spend their time helping us protect the users, but in this case, we certainly want to provide a reward for helping to protect us and our partners,” Microsoft told him.
Finally, Google chose to reward Swinnen with just a mention in their Hall of Fame.
Swinnen demonstrated that Google’s 2-factor authentication option could be exploited to trigger phone calls to premium rate numbers, but the company apparently has mitigations in place to prevent longstanding attempts to exfiltrate money in this particular way.
And, they say, losing some money is less important that the security of their users, which is greatly raised by using the 2FA feature. They noted that because of the telco industry works, it would be impossible to prevent attacks such as these completely from happening, so they will not be implementing any changes.
Swinnen calculated that, in theory, these options would allow an attacker to milk over €2 million per year from Instagram, €432,000 per year from Google, and nearly €700,000 from Microsoft by using a slew of fake accounts, multiple premium numbers, and different tools and approaches to automate the process.
With the changes that Instagram and Microsoft implemented, this should now be impossible. But, with details now available for this type of exploitation aimed at Google, attackers could try to see just how well the company’s mitigations work, and whether it’s worth the effort to try it.