Why you shouldn't do client-sided checks only; unlimited data via EE gifting system

- 3 mins

Summary:

A bug in EE’s family data gifting system allowed users to obtain unlimited data free of charge.


What is this? Who are you?

Alt Text
hi it me

Hey! Thanks for taking the time to check this out! You're probably wondering who I am and what this is, so let me give you a brief overview; my name is Daley Bee, I'm 18, and I'm a security researcher from the UK. This is my first personal blog post that will cover a bug I found in UK telecom giant EE's data gifting system nearly a year ago. Oh, and incase you couldn't tell, that picture on the left is me :D

Why to not check stuff client-sided; obtaining unlimited data via EE gifting system

If you’re anything like me, you’re probably already tired of all the mumble jumble I’ve written above – you just want to see the bug and how it works! So with no further ado, we’ll get into it.

In June 2018, EE introduced ‘family accounts’ and with that, ‘data gifting’. ‘Data gifting’ allows you to gift unused data to family members on the same account. This service is only available to pay monthly customers. The administrative account holder will have the ability to view how much data is left on each account, aswell as move it between one account to another in increments of 500MB. With this, they released a new endpoint to the My EE portal, which is used for customers to manage their account, billing details and payments.

EE portal
EE data gifting system

When you gift data to someone else, this is the HTTP request that is made:

POST /app/managedevice HTTP/1.1
Host: myaccount.ee.co.uk
User-Agent: 1337
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://myaccount.ee.co.uk/app/managedevice?activeTab=family-gifting
Content-Type: application/x-www-form-urlencoded
Content-Length: 126
Cookie: 1337
Connection: close
Upgrade-Insecure-Requests: 1

fa=giftData&giftingAmountInMB=500&donorMsisdn=447133337538&recipientMsisdn=&recipientMsisdn=447133337538&csrf=1337
Data gifting HTTP request

As you can see in the HTTP request above, there are 3 important POST parameters that should be filled:

The only thing here is we can’t select to send data to ourself – it’s greyed out, god damn it.

EE portal
Disabled recipient when data gifting

The issue? This check was only done client-sided (rofl). Simply by intercepting the HTTP request, and setting the ‘donorMsisdn’ and ‘recipientMsisdn’ parameters to the same value, allowed the gifting to succeed. In this case, the system would work like this:

  1. Take data from donor phone number
  2. Give it to recipient phone number
  3. Recipient data allowance increased
  4. THEN checks if recipent and donor are the same
  5. Returns the gifted data to donor
  6. Keeps the gifted data aswell
  7. Profit?

Here is a PoC video I recorded around a year ago for the EE security team, demonstrating this issue:

Long story short, malicious people could’ve gained unlimited data, free of charge and defrauded EE.

That’s all folks! I appreciate you taking the time to read my mumble jumble if you made it this far. Also, while you’re here, you should come hang out in the Underdog Security Discord server. There’s around 200 people here, all talking about infosec and bug bounty from all different walks of life. Oh, and they’re hosting a cash prize CTF soon! :D

Underdog Security Discord


Daley Bee - https://twitter.com/daley

Daley Bee

Daley Bee

hacker & developer

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora