PF Visual Voicemail make voice-mails too visual

On 02.08.10, In Android Security, by Michael

It seems the leader in visual voice-mail applications, Phone Fusion, has accidentally left users voice-mails a little too “visual”. Phone Fusion provides an app for its Visual Voicemail Plus on all major smartphones and carriers (See list). I have only evaluated the version provided for the Android, but based on the method of communication it [...]

It seems the leader in visual voice-mail applications, Phone Fusion, has accidentally left users voice-mails a little too “visual”.

Phone Fusion provides an app for its Visual Voicemail Plus on all major smartphones and carriers (See list). I have only evaluated the version provided for the Android, but based on the method of communication it seems it would be the same across all platforms.

The device handles the authentication for syncing with the gateway providing the user with new voicemails. The issue lies within the way the communication occurs with the users voicemail storage.

Communication with the voicemail storage gateway is through an unencrypted request via HTTP with no authentication. This communication is visible locally by watching normal HTTP traffic.

Phone Fusion Visual Voicemail Proof of Concept

The vulnerability is triggered when issuing a crafted GET request to the applications gateway web service. This request forces the gateway to provide an audio file of the voicemail in MP3 or VTT format.

Phone Fusion Visual Voicemail Proof of Concept 2

Phone Fusion has been notified regarding this issue, promptly responding with more concern for who I was then the issue at hand. They have not confirmed their plans on patching this issue.

Stay tuned as we wait for them to decide what they plan on doing. If I do not hear back regarding their plans I will provide a proof of concept link on 02/10/2010.

UPDATE 02/10/2010

As promised, the Proof of Concept and some information regarding the unique domainid.

POC: Download straight from my mailbox.

Parameters

action: Tells the server how to handle the request. (GET downloads voicemail, MULTIPERMDELETE erases multiple voicemails)
send_header: Tells the server to force the headers for voicemail downloads.
output_format: Audio Format (MP3 or VTT)
mdnis: Used by Phone Fusion to determine the inbound routing.
domainid: Unique but potentially forcible message id. <yyyymmddhhmmssmm>001000<9 digit identifier>

If anyone finds more information of how the domainid is generated, feel free to email me or post a comment and I will update the post. Also, if anyone can determine this is working cross-platform (im sure it is) that would be great.

UPDATE 02/15/2010

It looks like they issued a quick patch. PF Visual Voicemail looks like it no longer is using plain-text HTTP for its connection, however, the POC above still works. Interesting… I will dig into this a bit more in the near future.

All Tags: Alltel, Android Security, AT&T, Authentication bypass, Blackberry, iPhone Security, Nokia, PF Voicemail, Phone Fusion, Sprint, Symbian, T-mobile, Verizon, Visual Voicemail, Vulnerable, Windows Mobile

Michael

Security Analyst with a background in software development and corporate IT management.

Visit Authors Website  |  All Articles From This Author

Leave Your Response

* Name, Email, Comment are Required

Login