| sicelo | interesting 'authentication' schemes used by our two mobile ISPs for their balance check apps. the one uses an IP address in the range 10.0.0.0/8, and with the correct API call, the verification code is sent to the user via SMS, and at the same time, also returned in the JSON response (which the average joe won' see, of course) | 17:12 |
|---|---|---|
| sicelo | this has the side effect that you can just view anyone's balances since you have the verification code anyway, without having access to the SMS | 17:12 |
| sicelo | the 2nd ISP uses HTTPS (as opposed to HTTP-only for the first one) and the app needs to get a verification token generated by the server after you provide the correct code sent via SMS. The one thing with this ISP is that the token never changes for any given number, even though the SMS codes change. So if you can find the token just once, you have lifetime access to that account | 17:15 |
| sicelo | anyway, i guess reading people's balances is not that much of an issue. | 17:16 |
| Maxdamantus | sicelo: does the API let you do anything other than check balances? eg, buy plans? | 23:01 |
| sicelo | i haven't investigated further. it's not documented anywhere, but i've been sniffing some of the responses on the network | 23:30 |
| sicelo | i don't think you actually can buy plans, although the 2nd ISP does provide an endpoint that lists all available plans | 23:30 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!