Advertisements XSS helps you trace unregistered "Pay As You Go" subscribers

Written by DP

Thursday, 27 May 2010

Web security researcher "PyskE" has submitted a critical cross-site scripting vulnerability (XSS) affecting XSS:

*UPDATE 28/05/2010*:  

Mystick has submitted a fresh XSS vulnerability on [XSS Mirror]

There are two possible exploitation scenarios:

Scenario #1 (The evil XSS attack)

A malicious user exploits the XSS vulnerability to display a fake survey form urging Vodafone subscribers worldwide to input sensitive personal and financial details. Furthemore, the issue could be exploited to infect site visitors and subscribers with malware, adware and spyware.

Scenario #2 (XSS is your friend in some occasions)

In many juristictions it is not mandatory to register your prepaid SIM card (Pay-As-You-Go). This allows people to use their mobile phones for nefarious purposes such as scams, pranks and miscellaneous illegal activities. Supposedly no one will know you are at the other end, unless you tell them.

If you are the victim and know the annoying Vodafone mobile phone number, you can become Vodafone by sending a masked SMS text message to the annoying subscriber, asking him to visit the XSS vulnerable survey page at in order to confirm account details or take part in a competition. It is probable that the subscriber will visit the page and input details in the injected fake form. For greater persuasion potential, you can assign him with a fake unique id, supposedly required to successfully complete the survey.

Without XSS on Vodafone's web pages it will cost you a little to get information because the only option is to register SMS short code - highly persuasive option too!! :) *UPDATE 28/05/2010*:  The victim may look up your SMS short code number - "How can I tell who sent me a spam text or call?" - Help @ Vodafone UK

Screenshots for Scenario #2:

Vodafone sites have been XSSed in the past: XSS vulnerability notified by Darkc0ke XSS vulnerability notified by PyskE XSS vulnerability notified by isoz XSS vulnerability notified by l3d XSS vulnerability notified by DoMy94 XSS vulnerability notified by TurKPoweR XSS vulnerability notified by TurKPoweR XSS vulnerability notified by xylitol XSS vulnerability notified by Agd_Scorp XSS vulnerability notified by Langy XSS vulnerability notified by BackDoor XSS vulnerability notified by XSS vulnerability notified by XSS vulnerability notified by cyber XSS vulnerability notified by Narcoticxs XSS vulnerability notified by cyber XSS vulnerability notified by TotalSchaden XSS vulnerability notified by KaBuS XSS vulnerability notified by KaBuS XSS vulnerability notified by Hexspirit

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.