Sometimes when you innovate, you make mistakes. It is best to admit them quickly, and get on with improving your other innovationsSteve Jobs

Possible SMS Privacy info leak

7th Aug 2017

SMS Privacy has an administrator interface that gives reports on some information from the SMS Privacy database. The interface is primarily used for revenue projections, but some of the information is user-related.

Between 11th of November 2016 and 7th of August 2017, there was a security vulnerability in the SMS Privacy adminstrator interface that, if exploited, would have allowed a malicious attacker to learn everything shown in the administrator interface, some of which is potentially-sensitive.

I sincerely apologise for making the mistake. I hope it has not been exploited. I hope no users suffer if it was exploited.

Was the vulnerability exploited?

We have Nginx logs since 28th of July 2017 (10 days). Since 28th of July 2017, this vulnerability has definitely not been exploited. Prior to 28th of July 2017, it is impossible to know whether it was exploited or not.

If somebody was maliciously exploiting the vulnerability, there is every chance they would come back periodically to refresh their data. That this hasn't been observed in the last 10 days means either nobody is doing so, or they are refreshing their data less than once every 10 days.

What could have been leaked?

An attacker could have learnt all of the following for all accounts created before 28th of July 2017:

  1. Username
  2. Email address (optional: ~95% of users do not set an email address)
  3. Account creation and last login dates
  4. Account balance
  5. Bitcoin deposits (including TXID)
  6. Responses to user surveys

It would NOT have allowed an attacker to learn phone numbers, message contents, passwords, or hashed passwords as these are not exposed on the administrator interface.

It would NOT have allowed an attacker to modify any data as this can not be done in the administrator interface.

What should users do?

Be aware that there is a possibility (although not a certainty) that any of the items listed above could have been leaked to a malicious attacker. Note that the Bitcoin deposit TXIDs would allow an attacker to lookup the transaction in the Bitcoin blockchain and find out the sending addresses and payment amount.

Consider all of this information potentially-compromised and act accordingly, depending on your circumstances.

Remember that info leaks happen to lots of services, and only those of the highest integrity disclose them voluntarily. Protect yourself by giving away as little info as possible: if they don't have it, they can't leak it.

What has SMS Privacy done in response?

Fixed the vulnerability.

Voluntarily disclosed the existence and nature of the vulnerability to users (this report) so that they can take steps to protect themselves. Additionally, accounts that were created before 28th of July 2017 will be shown a warning on their next login linking them to this page.

Increased the period of time for which Nginx logs are kept from 10 days to 60 days.

What is SMS Privacy going to do to prevent things like this from happening again?

Get the service professionally security-tested, and publish the results.

What was the actual vulnerability?

If a non-administrator tried to view a page on the adminstrator interface they would be redirected to the login page. Unfortunately, after the redirect, processing of the request continued, including sending the response to the socket. If you tried to navigate to the administrator interface in a web browser, it redirected you to the login page but still silently sent the content.

You can learn more in the writeup on my blog.

How can I contact you?

If you have any questions or concerns, please get in touch: jes@smsprivacy.org.

Cheers,
James Stanley
SMS Privacy


SMS Privacy is a project by James Stanley.
Available as a Tor hidden service at smspriv6fynj23u6.onion.
Please send bug reports, feature requests, comments, concerns, etc. to jes@smsprivacy.org.
As featured on Indie Hackers.