A bug in EE’s family data gifting system allowed users to obtain unlimited data free of charge.
Hey! Thanks for taking the time to check this out! You're probably wondering who I am and what this is, so let me give you a brief overview; my name is Daley Bee, I'm 18, and I'm a security researcher from the UK. This is my first personal blog post that will cover a bug I found in UK telecom giant EE's data gifting system nearly a year ago. Oh, and incase you couldn't tell, that picture on the left is me :D
If you’re anything like me, you’re probably already tired of all the mumble jumble I’ve written above – you just want to see the bug and how it works! So with no further ado, we’ll get into it.
In June 2018, EE introduced ‘family accounts’ and with that, ‘data gifting’. ‘Data gifting’ allows you to gift unused data to family members on the same account. This service is only available to pay monthly customers. The administrative account holder will have the ability to view how much data is left on each account, aswell as move it between one account to another in increments of 500MB. With this, they released a new endpoint to the My EE portal, which is used for customers to manage their account, billing details and payments.
When you gift data to someone else, this is the HTTP request that is made:
As you can see in the HTTP request above, there are 3 important POST parameters that should be filled:
The only thing here is we can’t select to send data to ourself – it’s greyed out, god damn it.
The issue? This check was only done client-sided (rofl). Simply by intercepting the HTTP request, and setting the ‘donorMsisdn’ and ‘recipientMsisdn’ parameters to the same value, allowed the gifting to succeed. In this case, the system would work like this:
Here is a PoC video I recorded around a year ago for the EE security team, demonstrating this issue:
Long story short, malicious people could’ve gained unlimited data, free of charge and defrauded EE.
That’s all folks! I appreciate you taking the time to read my mumble jumble if you made it this far. Also, while you’re here, you should come hang out in the Underdog Security Discord server. There’s around 200 people here, all talking about infosec and bug bounty from all different walks of life. Oh, and they’re hosting a cash prize CTF soon! :D
Daley Bee - https://twitter.com/daley