What is this? Who are you?
Hey! Thanks for taking the time to check this out! You’re probably wondering who I am and what this is, so let me give you a brief overview; my name is Daley Bee, I’m 18, and I’m a security researcher from the UK. This is my first personal blog post that will cover a bug I found in UK telecom giant EE’s data gifting system nearly a year ago.
Why to not check stuff client-sided; obtaining unlimited data via EE gifting system
If you’re anything like me, you’re probably already tired of all the mumble jumble I’ve written above – you just want to see the bug and how it works! So with no further ado, we’ll get into it.
In June 2018, EE introduced ‘family accounts’ and with that, ‘data gifting’. ‘Data gifting’ allows you to gift unused data to family members on the same account. This service is only available to pay monthly customers. The administrative account holder will have the ability to view how much data is left on each account, aswell as move it between one account to another in increments of 500MB. With this, they released a new endpoint to the My EE portal, which is used for customers to manage their account, billing details and payments.
When you gift data to someone else, this is the HTTP request that is made:
As you can see in the HTTP request above, there are 3 important POST parameters that should be filled:
- giftingAmountInMB: The amount of data you want to gift; this is done in increments of 500MB
- donorMsisdn: Determines which phone number to take the data from
- recipientMsisdn: Determines which phone number you want to send the data to
The only thing here is we can’t select to send data to ourself – it’s greyed out.
The issue? This check was only done client-sided (rofl). Simply by intercepting the HTTP request, and setting the ‘donorMsisdn’ and ‘recipientMsisdn’ parameters to the same value, allowed the gifting to succeed. In this case, the system would work like this:
- Take data from donor phone number
- Give it to recipient phone number
- Recipient data allowance increased
- THEN checks if recipient and donor are the same
- Returns the gifted data to donor
- Recipient (also us) keeps the gifted data aswell
Here is a PoC video I recorded around a year ago for the EE security team, demonstrating this issue (sorry for all the big black boxes. I don’t have the just blurred version anymore.):
Long story short, malicious people could’ve gained unlimited data, free of charge and defrauded EE.
That’s all folks! I appreciate you taking the time to read my mumble jumble if you made it this far. Also, while you’re here, you should come hang out in the Underdog Security Discord server. There’s around 200 people here, all talking about infosec and bug bounty from all different walks of life. Oh, and they’re hosting a cash prize CTF soon! :D
Daley Bee - https://twitter.com/daley