As I accidentally discovered a possible endless replenishment of an account with my American mobile operator

In order to prevent abuse, I do not indicate the name of the operator.

It all started with the fact that I bought upon arrival a SIM-card of the operator with the tariff plan Pay-as-you-go. This is the most common tariff plan that was popular in Russia before the advent of package tariff plans, that is, you pay for every minute, message, megabyte, while you have a balance that needs to be replenished.

Everywhere I had Wi-Fi, and cellular communication was rather needed for incoming calls and rare access to the mobile Internet. However, the problem with American operators is that your account balance may simply expire. Then it expired after 30 days, that is, the money in the account simply burned out. It could be completely transferred to the next month, but for this it was necessary to make at least some replenishment of the account. I decided to make minimal recharge to stay in touch.

I logged into the Account on the operator’s website and tried to make a deposit from a bank card. Unlike Russia, the amount could not be entered here. I was offered a choice of only a few amounts, the minimum is $ 5. I did not need so much, but I paid this money every month to stay in touch. As a result, after a few months, “useless” several tens of dollars accumulated on the account with no chance to ever spend it.

Passing somehow by the operator’s outlet in one of the shopping centers, I saw ordinary recharge cards (scratch cards). They were of the same denominations as they were offered for payment on the site. But apparently because of my intuitive craving for experiments, I decided to purchase such a card, again for $ 5. When the time came for payment, I began to consider the card. It seems the same principle as in Russia (when these cards were still popular): you can simply dial a command with a card number and activate it, or you can “wander” on the USSD-menu (teams from the category * XXX #). Again, due to some desire to experiment, I decided to choose a long way from the menu. Among the options it was proposed to find out the balance, activate the scratch card, replenish the account with a bank card.

In Russia, I somehow always only dealt with entering card data online, so paying with a card through such a menu was interesting to me (after all, these payments were the topic of my diploma), although it seemed unsafe (again in Russia, usually can be found in a separate window of the acquiring bank, but are not transferred to the seller in the clear), I decided to try. Immediately I was surprised by the offer to enter the amount. That is, they did not offer me the standard choice of amounts, as everywhere else, but they suggested that I enter the amount. I selected $ 1, entered the card details in the following steps and payment passed. As you might guess, then I tried to enter $ 0.01, it passed too.

One could be glad that I no longer need to uselessly transfer $ 5 each month to my balance, but spend only 1 cent and complete the experiment. But after a couple of hours I wanted to look again at the Account on the operator’s website and the replenishment options.

So. I am offered to fill out a form with card details, amount and so on. I’m tracking how this POST request looks like with the form submission. I copy, paste into Postman, try to repeat the request. The server responds with an error, it seems that some tokens in the form are running out.

I decide to go the simple way. I’m offered to choose the amount from the drop-down list. Of course it's some kind selectof list option.


The server is obviously sent only value. What does it mean 5, 10, 30 after a hyphen I understand, this is the amount of replenishment, but what does the first value mean? Are there any constants in the source code, or is the sum simply extracted from the data?

I try. I expose REG12-0.01at one of the points, enter the card details, send. A message appears: “Thank you. $ 0.01 load amount has been credited to your prepaid number. " The same amount was debited from the card. Everything seems to be fine. You can choose any amount, although I already discovered this opportunity through USSD, no problem.

But here is the most important point. I get an SMS message to the number: "$ 30 was credited to your account". The account balance is increased by this amount.

There have been many such publications with various popular services on this site and there will probably be even more. In the process of developing systems (especially not in companies with a strict IT focus), there are practically no tests / controls for security / vulnerability and it seems that the situation will not improve in the near future. Fortunately, no personal user data is affected here. This experiment can hardly even be called a hack, in fact, the usual sending of the desired amount to the server takes place, instead of which the operator’s billing decides to replenish the balance by an amount thousands of times larger than the selected one.

Also popular now: