This report was fully disclosed on 27 February 2020
Summary
Due to the lack of rate limiting or captcha on a specific end-point it is possible for an unauthenticated attacker to send a large number of SMS text messages to a phone number of their choosing.
This allows a remote unauthenticated attacker to abuse the service and perform “SMS Flooding”, resulting in the target receiving hundreds or thousands of SMS text messages per minute.
About Titan: “Titan is a modern, high-quality asset manager. We build, manage, and explain investment products. We’re democratizing wealth management for the masses.”
Proof of Concept
First we must craft a request to the vulnerable end-point. This can be done manually, or by intercepting the request sent shortly after sign-up on the /join-now/success
page.
The request body is as follows.
GET /user/text-app?phone=6475551337 HTTP/1.1
Host: api.titanvest.com
Connection: close
User-Agent: Hacker 7.23
In this case we used a free phone number provided by our friends at TextNow as our target for testing.
Once we have crafted this request, we can use Burp intruder to repeat the request a desired number of times. To do this we can append &req=§0§
to the GET
request and create a payload list of a numerical sequence of 100.
We can note that the first response was received at 09:47:50 GMT
and the last response was received at 09:48:04 GMT
. Since 100 requests were sent we can determine that messages can be sent at a minimum rate of ~7 messages per second, or 428 per minute from a single attack.
As shown in the following screenshot 100+ sms messages were received by the target.
Active Exploitation
At 2:57 AM UTC on 25 Feburary, Twitter user @scottbix
posted a video of his phone being flooded with messages from various platforms, including but not limited to Titan. Based on this example we can determine with a high degree of certainty that this vulnerability is actively being exploited for malicious purposes.
A few hours later and I've managed to replicate, write up, and report the vulnerabilities that let this happen on @zoom_us, @Vistaprint, @RentPayment, and @titanvest
— ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ (@GlitchWitch) February 25, 2020
Still a couple more to do but certainly a good start. https://t.co/I61cVZgaTZ
Recommended Actions
- Implement captcha and other rate limiting controls to prevent abuse.
- Discontinue unused end-points
- Implement security and bug reporting information such as a security.txt file so security researchers can more easily report findings in the future.
- Perform a full penetration test of the web platform and API to identify further issues.
Remediation Status
At the time of publishing this report the reported issue has been resolved.
Response From Max Bernardy (CTO) on LinkedIn 27 February 2020
Hi,
Thanks for connecting and bringing this issue to our attention. We’ve rolled out a guard that limits the number of SMSs that can be sent to a single phone number in any 24 hour period. Thanks again for letting us know.
Best,
-Max
Timeline
- 25 February 2020: Affected Party Notified
- 27 February 2020: Affected Party Responded (+2 days)
- 27 February 2020: Affected Party Released Patch (+2 days)
- 27 February 2020: Report Published (+2 days)