This report was fully disclosed on 27 February 2020
Due to the lack of rate limiting or captcha on a specific end-point it is possible for an unauthenticated attacker to send a large number of SMS text messages to a phone number of their choosing.
This allows a remote unauthenticated attacker to abuse the service and perform “SMS Flooding”, resulting in the target receiving hundreds or thousands of SMS text messages per minute.
About Titan: “Titan is a modern, high-quality asset manager. We build, manage, and explain investment products. We’re democratizing wealth management for the masses.”
Proof of Concept
First we must craft a request to the vulnerable end-point. This can be done manually, or by intercepting the request sent shortly after sign-up on the
The request body is as follows.
GET /user/text-app?phone=6475551337 HTTP/1.1 Host: api.titanvest.com Connection: close User-Agent: Hacker 7.23
In this case we used a free phone number provided by our friends at TextNow as our target for testing.
Once we have crafted this request, we can use Burp intruder to repeat the request a desired number of times. To do this we can append
&req=§0§ to the
GET request and create a payload list of a numerical sequence of 100.
We can note that the first response was received at
09:47:50 GMT and the last response was received at
09:48:04 GMT. Since 100 requests were sent we can determine that messages can be sent at a minimum rate of ~7 messages per second, or 428 per minute from a single attack.
As shown in the following screenshot 100+ sms messages were received by the target.
At 2:57 AM UTC on 25 Feburary, Twitter user
@scottbix posted a video of his phone being flooded with messages from various platforms, including but not limited to Titan. Based on this example we can determine with a high degree of certainty that this vulnerability is actively being exploited for malicious purposes.
- Implement captcha and other rate limiting controls to prevent abuse.
- Discontinue unused end-points
- Implement security and bug reporting information such as a security.txt file so security researchers can more easily report findings in the future.
- Perform a full penetration test of the web platform and API to identify further issues.
At the time of publishing this report the reported issue has been resolved.
Response From Max Bernardy (CTO) on LinkedIn 27 February 2020
Thanks for connecting and bringing this issue to our attention. We’ve rolled out a guard that limits the number of SMSs that can be sent to a single phone number in any 24 hour period. Thanks again for letting us know.
- 25 February 2020: Affected Party Notified
- 27 February 2020: Affected Party Responded (+2 days)
- 27 February 2020: Affected Party Released Patch (+2 days)
- 27 February 2020: Report Published (+2 days)