Why you shouldn't do client-sided checks; EE's gifting system
Unlimited 4G data via a bug in EE's family account system

What is this? Who are you?

Hey! Thanks for taking the time to check this out! You’re probably wondering who I am and what this is, so let me give you a brief overview; my name is Daley Bee, I’m 18, and I’m a security researcher from the UK. This is my first personal blog post that will cover a bug I found in UK telecom giant EE’s data gifting system nearly a year ago.

Why to not check stuff client-sided; obtaining unlimited data via EE gifting system

If you’re anything like me, you’re probably already tired of all the mumble jumble I’ve written above – you just want to see the bug and how it works! So with no further ado, we’ll get into it.

In June 2018, EE introduced ‘family accounts’ and with that, ‘data gifting’. ‘Data gifting’ allows you to gift unused data to family members on the same account. This service is only available to pay monthly customers. The administrative account holder will have the ability to view how much data is left on each account, aswell as move it between one account to another in increments of 500MB. With this, they released a new endpoint to the My EE portal, which is used for customers to manage their account, billing details and payments.

EE portal

When you gift data to someone else, this is the HTTP request that is made:

POST /app/managedevice HTTP/1.1
Host: myaccount.ee.co.uk
User-Agent: 1337
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://myaccount.ee.co.uk/app/managedevice?activeTab=family-gifting
Content-Type: application/x-www-form-urlencoded
Content-Length: 126
Cookie: 1337
Connection: close
Upgrade-Insecure-Requests: 1

fa=giftData&giftingAmountInMB=500&donorMsisdn=447133337538&recipientMsisdn=&recipientMsisdn=447133337538&csrf=1337

As you can see in the HTTP request above, there are 3 important POST parameters that should be filled:

The only thing here is we can’t select to send data to ourself – it’s greyed out.

EE portal

The issue? This check was only done client-sided (rofl). Simply by intercepting the HTTP request, and setting the ‘donorMsisdn’ and ‘recipientMsisdn’ parameters to the same value, allowed the gifting to succeed. In this case, the system would work like this:

  1. Take data from donor phone number
  2. Give it to recipient phone number
  3. Recipient data allowance increased
  4. THEN checks if recipient and donor are the same
  5. Returns the gifted data to donor
  6. Recipient (also us) keeps the gifted data aswell
  7. Profit?

Here is a PoC video I recorded around a year ago for the EE security team, demonstrating this issue (sorry for all the big black boxes. I don’t have the just blurred version anymore.):

Long story short, malicious people could’ve gained unlimited data, free of charge and defrauded EE.

That’s all folks! I appreciate you taking the time to read my mumble jumble if you made it this far. Also, while you’re here, you should come hang out in the Underdog Security Discord server. There’s around 200 people here, all talking about infosec and bug bounty from all different walks of life. Oh, and they’re hosting a cash prize CTF soon! :D

Underdog Security Discord


Daley Bee - https://twitter.com/daley

*****
Written by Daley Bee on 02 May 2019