CSRF Flaws Identified in Online SMS-Sending Services 160by2 and Way2SMS

The vulnerabilities could be abused to send messages from the victims' accounts

By on January 4th, 2013 12:35 GMT

Cross Site Request Forgery (CSRF) vulnerabilities have been identified on a couple of websites that provide online SMS-sending services. The security holes, located in 160by2.com and way2sms.com, have been identified by security researcher Sabari Selvan.

The vulnerability on 160by2.com affects the “SMS alerts” page and it could be leveraged to send text messages from the account of a victim to any mobile, Selvan, writing on E Hacking News, explained.

Since the page fails to check if the request is made by the user, cybercriminals can send malicious requests to the server by tricking victims into clicking on their cleverly crafted links.

The CSRF issue in way2sms.com, according to the expert, allows a hacker to change the name of the victim with the help of a malicious request.

The researcher has notified both companies of the presence of the vulnerabilities, but none of them responded.

Furthermore, according to the expert, the CSRF vulnerability he has identified is not the only security hole that plagues the 160By2 site. He previously reported a cross-site scripting flaw to them, but his notifications remained unanswered.

Comments