titanvest.com Vulnerability Report - GlitchWitch Security

This report was fully disclosed on 27 February 2020

Summary

Due to the lack of rate limiting or captcha on a specific end-point it is possible for an unauthenticated attacker to send a large number of SMS text messages to a phone number of their choosing.

This allows a remote unauthenticated attacker to abuse the service and perform “SMS Flooding”, resulting in the target receiving hundreds or thousands of SMS text messages per minute.

About Titan: “Titan is a modern, high-quality asset manager. We build, manage, and explain investment products. We’re democratizing wealth management for the masses.”

Proof of Concept

First we must craft a request to the vulnerable end-point. This can be done manually, or by intercepting the request sent shortly after sign-up on the /join-now/success page.

The request body is as follows.

GET /user/text-app?phone=6475551337 HTTP/1.1
Host: api.titanvest.com
Connection: close
User-Agent: Hacker 7.23

Screenshot of titanvest.com/join-now/success

In this case we used a free phone number provided by our friends at TextNow as our target for testing.

Once we have crafted this request, we can use Burp intruder to repeat the request a desired number of times. To do this we can append &req=§0§ to the GET request and create a payload list of a numerical sequence of 100.

Screenshot of burp intruder

We can note that the first response was received at 09:47:50 GMT and the last response was received at 09:48:04 GMT. Since 100 requests were sent we can determine that messages can be sent at a minimum rate of ~7 messages per second, or 428 per minute from a single attack.

Screenshot of burp intruder show 100 requests and response

As shown in the following screenshot 100+ sms messages were received by the target.

Screenshot of textnow target receiving 100 text messages

Active Exploitation

At 2:57 AM UTC on 25 Feburary, Twitter user @scottbix posted a video of his phone being flooded with messages from various platforms, including but not limited to Titan. Based on this example we can determine with a high degree of certainty that this vulnerability is actively being exploited for malicious purposes.

A few hours later and I've managed to replicate, write up, and report the vulnerabilities that let this happen on @zoom_us, @Vistaprint, @RentPayment, and @titanvest

Still a couple more to do but certainly a good start. https://t.co/I61cVZgaTZ
— ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ (@GlitchWitch) February 25, 2020

Recommended Actions

Implement captcha and other rate limiting controls to prevent abuse.
Discontinue unused end-points
Implement security and bug reporting information such as a security.txt file so security researchers can more easily report findings in the future.
Perform a full penetration test of the web platform and API to identify further issues.

Remediation Status

At the time of publishing this report the reported issue has been resolved.

Response From Max Bernardy (CTO) on LinkedIn 27 February 2020

Hi,

Thanks for connecting and bringing this issue to our attention. We’ve rolled out a guard that limits the number of SMSs that can be sent to a single phone number in any 24 hour period. Thanks again for letting us know.

Best,

-Max

Timeline

25 February 2020: Affected Party Notified
27 February 2020: Affected Party Responded (+2 days)
27 February 2020: Affected Party Released Patch (+2 days)
27 February 2020: Report Published (+2 days)