This report was fully disclosed on 19 August 2020

Summary

Due to the lack of rate limiting or captcha on a specific end-point it is possible for an unauthenticated attacker to send a large number of SMS text messages to a phone number of their choosing.

This allows a remote unauthenticated attacker to abuse the service and perform “SMS Flooding”, resulting in the target receiving hundreds or thousands of SMS text messages per minute.

About RentPayment: “RentPayment is the leading electronic payments processor for the apartment rental industry. With this service, property managers can collect rent on time, reduce rent collection costs and access detailed reporting to analyze their business. Renters use our solution to pay their rent online, on their mobile phone or by text message using a credit card, debit card or eCheck. We streamline rent collection by providing these benefits to the largest properties in the country – representing thousands of apartment buildings and millions of renters making us the industry leading e-payment solution.”

Proof of Concept

First we must craft a request to the vulnerable end-point. The request body is as follows.

POST /wp-content/themes/rentpayment/twilio/index.php HTTP/1.1
Host: www.rentpayment.com
Connection: close
Content-Length: 29
X-Requested-With: XMLHttpRequest
User-Agent: Hacker 7.23
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

sms_number=6475551337

In this case we used a free phone number provided by our friends at TextNow as our target for testing.

Once we have crafted this request, we can use Burp intruder to repeat the request a desired number of times. To do this we can append &req=§0§ to the body of request and create a payload list of a numerical sequence of 100.

We can note that the first response was received at 09:04:26 GMT and the last response was received at 09:04:50 GMT. Since 100 requests were sent we can determine that messages can be sent at a minimum rate of ~4 messages per second, or 250 per minute from a single attack.

image tooltip here

image tooltip here

As shown in the following screenshot 100+ sms messages were received by the target.

image tooltip here

Active Exploitation

At 2:57 AM on 25 Feburary, Twitter user @scottbix posted a video of his phone being flooded with messages from various platforms, including but not limited to Zoom. Based on this example we can determine with a high degree of certainty that this vulnerability is actively being exploited for malicious purposes.

  • Implement captcha and other rate limiting controls to prevent abuse.
  • Discontinue unused end-points
  • Implement security and bug reporting information such as a security.txt file so security researchers can more easily report findings in the future.
  • Perform a full penetration test of the web platform and API to identify further issues.

Remediation Status

At the time of publishing this report the reported issue has been resolved.

Response From @Yapstone on Twitter

On Monday, May 4, 2020, 17:17 PM, @Yapstone wrote:

Thank you for reaching out to us. The issue has been resolved.

Timeline

  • 25 February 2020: Affected Party Notified
  • 4 May 2020: Affected Party Responded (+69 days)
  • 4 May 2020: Affected Party Released Patch (+69 days)
  • 19 August 2020: Report Published (+176 days)