A Lesson in Web Application Security Part 1

So it was today that the ‘O’, ‘AS’ & ‘A’ Level Results came out and in the recent days before, it was pretty well advertised that students could get the results by SMS. So when I heard word that the results were out I went to the Registration page to be greeted with a pretty, how would I put it, not so aesthetically pleasing site. Yes I know functionality is what is important and I do personally believe in that and I know my skills in design need a lot of work but come on people!

screenshot of SMS registration site
The site in question

So I decide to take a look around and see how they handle the registration of users….

Step 1: Input Details
Input details

Step 2: Confirmation
Confirmation

Step 3: Nothing, we’re done!
Nothing, we're done!

It does state that registration is free which is good however they was a huge flaw in the design process of this registration. As shown in the next 2 steps:

Step 4: Receive Confirmation SMS
Registration for BN123 4321 CANDIDATE NAME is successful.
To cancel the registration, type MOE CANCEL 98765 and
send to 8885555

Step 5: Receive Results SMS
O LEVEL RESULT 2008
Exam Center: BN123
Candidate Index: 4321
A.M = A
B.M = A
BIO = A
CHE = A
COM = A
ENG = A
MAT = A
PHY = A
RSLT = 8 0

–Update: Actual candidate name and results changed for illustration purposes

Part 2 will be released once Mach Telecommunications Systems fixes the exploits in question (or if they don’t do anything about it, forcing me to release it)

Update: Read Part 2 here

Advertisements

6 thoughts on “A Lesson in Web Application Security Part 1”

  1. I think you need to reflow Steps 4 and 5. They’re hidden cos they’re too long. You can copy & paste the text into notepad but that’s a pain.

    If you mean the design flaw is defaulting everything to A’s I can imagine a lot of people called CANDIDATE NAME will be celebrating prematurely.

  2. Ok it’s fixed. ScribeFire issue not working well with WordPress. Well the actual names and results are changed to protect the identity and results of the person whose results I did get

  3. It’s not meant to be seen… yet as I don’t want it to be exploited. Though, you are always free to investigate on your own. Trying to do responsible disclosure.

  4. So you’re saying the issue is that anyone can access the results of any candidate as long as they know the Candidate Code?? But that’s gonna be hard no??

    But one can use this just to do a DOS attack on the telecom company, or an individual.. Just write a script to “attach” a cellphone no. on ALL results.. Hehehehe.. Ooops.. Am I not supposed to say that??

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s