1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blackhat Technique of the Day - Get Google to pay you!

Discussion in 'BlackHat Lounge' started by Asif WILSON Khan, Jul 19, 2016.

  1. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    11,445
    Likes Received:
    32,348
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    Step 1 - Get a Premium Rate Telephone Number
    Step 2 - Use it as your Verification Number on all services
    Step 3 - Profit!

    Obviously this is a joke and but read these:
    https://www.arneswinnen.net/2016/07/how-i-could-steal-money-from-instagram-google-and-microsoft/
    http://www.cio.com/article/3096619/...hrough-online-phone-verification-systems.html

    How I Could Steal Money from Instagram, Google and Microsoft

    TL;DR: Instagram ($2000), Google ($0) and Microsoft ($500) were vulnerable to direct money theft via premium phone number calls. They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP/… . Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited concurrent calls to one premium number. The vulnerabilities were submitted to the respective Bug Bounty programs and properly resolved.

    In the latest attack that shows how hard it is for users to identify phone numbers with premium call charges, a researcher has found that he could have earned millions by abusing the online phone verification systems used by Google, Microsoft, and Instagram.

    Many websites and mobile apps allow users to associate a phone number with their account. This can be used for two-factor authentication or as an account recovery and verification option. Many of these systems rely on codes sent via text messages, but also offer the option to call the user and dictate such codes.
    Last year, a Belgian IT security consultant named Arne Swinnen started wondering if such systems test if the numbers entered by users have premium charges attached to them and set out to test several popular services.

    READ THESE:
    https://www.arneswinnen.net/2016/07/how-i-could-steal-money-from-instagram-google-and-microsoft/
    http://www.cio.com/article/3096619/...hrough-online-phone-verification-systems.html
     
    • Thanks Thanks x 5
  2. ThatSEO

    ThatSEO Jr. VIP Jr. VIP

    Joined:
    Jan 22, 2016
    Messages:
    705
    Likes Received:
    299
    Gender:
    Male
    Occupation:
    Self employed marketing stuff
    Location:
    Sometimes UK
    That's actually incredible
     
  3. lancis

    lancis Elite Member

    Joined:
    Jul 31, 2010
    Messages:
    1,680
    Likes Received:
    2,416
    Occupation:
    Entrepreneur
    Location:
    Milky Way
    Home Page:
  4. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    11,445
    Likes Received:
    32,348
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
  5. Sristy

    Sristy Jr. VIP Jr. VIP Premium Member

    Joined:
    Aug 17, 2010
    Messages:
    1,794
    Likes Received:
    477
    Gender:
    Female
    Location:
    In My Blog Network
    Home Page:
    Now we will have something new to deal with than phone verifications...duh
     
  6. Sherbert Hoover

    Sherbert Hoover Jr. Executive VIP Jr. VIP

    Joined:
    Dec 26, 2010
    Messages:
    995
    Likes Received:
    7,987
    Occupation:
    ORM - Branding - Content
    Location:
    United States
    Home Page:
    Asif, you're turning into The Scarlet Pimp but with an investigative spin haha.
     
    • Thanks Thanks x 1