February 15, 2017, I was fooling around with my phone and doing my routine check on current points of the accounts that I hold through applications like SM’s ‘My SMAC’. This routine of mine actually gives me some kind of assurance that the ‘expensively’ earned points and even my bank balances are still there, untouched, because it pains me to become a victim of ‘system problems’ which tells you that the points or even the money that you’re keeping are gone digitally.
Being an SM Advantage member for nearly 11 years, the question came to me, ‘How secure is SM’s system for keeping my digital information?’. This led me to check out SMAC’s website to test a few things and the results were as follow:
After visiting a link, I got surprised when presented with information without any security requirements.
The card number is mine and I was presented with my email, address, and contact number but it doesn’t stop there. There were options to change the password and even the email.
Now to verify that this was working with other accounts, I randomly changed the last few digits of the card number and got presented with their information too. I further looked into the website source and found a link that publicly presented the points of our SM Advantage Card.
Finally, there’s a point transfer feature as shown below:
The interesting details presented in the link were the following:
- Source card (fromcard=)
- Destination card (destcard=)
- Transfer amount (transamount=)
- Source pin (sourcepin=)
I didn’t randomly test for this one as I knew it could trigger an actual point transfer so I added in my card number for both source and destination just to be safe. Now the good thing for this point transfer feature is that it requires a pin code to successfully transfer however after testing a few wrong ones, no security alert showed up which means this link can be brute-forced. By combining the vulnerabilities of the previous links (Profile information and point viewing), an attacker should be able to transfer points from one account to the other by:
- Running a program to increment the card numbers.
- Check the points of each account using the link above.
- If there are points in the account, the point transfer feature can be used.
- Since the pin is only 4 digits, the combinations to test with are 0000 up until 9999. This shows a total of 10,000 combinations and if a script is created to test at least 1 pin combination per second, a successful point transfer feature will happen in no more than 2 hours and 46 minutes.
This vulnerability has been disclosed to SMAC’s team and the timeline of disclosure follows:
February 15, 2017 (Vulnerability reported)
- 10:56 AM – Initial report was sent to email@example.com
- 12:55 PM – Secondary report with images and links sent through a document in SMAC’s Facebook
- 01:22 PM – SMAC’s Facebook acknowledges the document
February 16, 2017 (Issue being fixed)
- 11:10 AM – Checked the website and it showed an access denied page.
February 17, 2017 (Issue being fixed)
- 11:00 AM – Checked the website and it was down.
February 19, 2017 (Vulnerability fixed)
March 2, 2017 (Sent email for public disclosure schedule)
- 01:36 AM – Sent email to firstname.lastname@example.org
March 15, 2017 (Public disclosure)
Unfortunately, the last time I heard from the SMAC team was last February 15, 2017 through Facebook. I guess the email email@example.com is barely used or so but I salute the website team for doing a fast fix!
Thank you so much for reading!
P.S. No accounts were hacked in the process. The point system has a transaction record too so technically, it won’t be hard to track down illegal activities.