14 DAY TRIAL // The group communication app for iOS GroupMe received an update recently that closed a bug allowing an individual to hijack someone else’s account knowing only the target’s phone number.
Owned by Microsoft, the software is available for multiple platforms, both desktop (OS X, Windows) and mobile (iOS and Android). The version for Android has been installed at least five million times.
The vulnerability has been discovered by Dylan Saccomanni, security researcher from New York, who found that the code for validating ownership of a mobile device during registration can be brute-forced; this would allow a third party to use any phone number to create a GroupMe account and gain access to other users’ profiles.
Limitless validation code entries allowed
Unlike other services, GroupMe accounts are tied to the phone number, not the email address, and there is the possibility to register either with the number of the current device or a different one.
In the latter scenario, the service sends a four-digit code to the provided number for verification purposes; the code then needs to be entered during the registration process.
It all may seem jolly good, but the trouble is that the iOS app did not have implemented a lock-out method in case a wrong string was entered several times, opening the door for brute-force attacks.
“Being that the SMS tokens for this type of phone number validation were always four digits in length, this meant there were only 10,000 possible combinations to get through before entering the correct auth token for the phone number. It was therefore trivial to automate this process and enter any user's account knowing nothing but their phone number,” Saccomanni writes in a blog post on Thursday.
A patch was pushed almost 20 days after the vulnerability disclosure
The risk existed that all the content (groups, message history) attached to a victim’s phone number would become accessible to unauthorized individuals.
According to the researcher, the password and email address could be changed without the rightful owner of the account being notified.
The vulnerability exists in build 4.4.4 and below of GroupMe for iOS and it was disclosed privately to the developers on August 28. A fix has been provided in version 5.0 of the app, which emerged on September 17.
Saccomanni says that the entire communication with the developer went without a glitch, the team being very responsive and maintaining contact during the entire process.