CarderPlanet
Professional
General idea and explanation of the essence of the vulnerability.
This has not yet been covered and will not be covered, although, in my opinion, it is a huge hole.
This works not only with kiwi, I want to explain to you the very essence of such vulnerabilities.
Qiwi has a mobile application with which you can transfer money without SMS confirmation. I think this is understandable. Many have already guessed what we are talking about? To connect a mobile application to a wallet, you only need a code from an SMS. I was surprised by the very content of the SMS. (the detailed content will be in the second part) it says about "authorization in kiwi" and the only thing that is fired is "authorization via android", but in most cases mammoths hammer into it. In general, sms does not fire
What am I all for? How can you take advantage of this?
To begin with, we need a server or hosting, we will put qiwi authorization on it, but with an addition.
What will be on our hosting?
the first page is the usual authorization. It is advisable to authorize with a check of the data for validity, so if the entered data is incorrect, it asks to enter a new one. But this is optional.
After successful authorization, there will be a second fake page with similar content: "Security check, enter the code from sms:"
Below I will describe why this is.
As soon as the fake fake is ready, we need to change the dns of the victim. having access to a computer, it is not difficult to do this (you can even through the hosts file or a router), for example, through rat or write a batch file.
How will it work?
We need an android emulator, put Qiwi on it. We just need to connect the mobile application, but the victim will not know about it)
When the victim enters the Qiwi from his computer, he will be sent to our fake. He will enter the data, we need to quickly fill them in the application in the emulator, when the mammoth is on the second page with "Enter the code from sms", we come up with a pin code, the victim will be sent an SMS just at this moment. The victim enters the code, we enter it in the attachment and we have access to the wallet, we can safely transfer money to ourselves. Everything can be easily (no) automated. To the victim, this looks like a simple security check. "I logged in, threw it out for a security check and received some kind of authorization code, entered it and dropped it into the wallet" only the qiwi does not warn that this is a mobile application connection
There is also an option with kiwi. I also think you can stir up the same with webmoney. Yes, as Pattifon said, it can be simpler (I will also tell you), but I used this option quite successfully, and it is worth implementing this scheme.
Wait for the next part.
This has not yet been covered and will not be covered, although, in my opinion, it is a huge hole.
This works not only with kiwi, I want to explain to you the very essence of such vulnerabilities.
Qiwi has a mobile application with which you can transfer money without SMS confirmation. I think this is understandable. Many have already guessed what we are talking about? To connect a mobile application to a wallet, you only need a code from an SMS. I was surprised by the very content of the SMS. (the detailed content will be in the second part) it says about "authorization in kiwi" and the only thing that is fired is "authorization via android", but in most cases mammoths hammer into it. In general, sms does not fire
What am I all for? How can you take advantage of this?
To begin with, we need a server or hosting, we will put qiwi authorization on it, but with an addition.
What will be on our hosting?
the first page is the usual authorization. It is advisable to authorize with a check of the data for validity, so if the entered data is incorrect, it asks to enter a new one. But this is optional.
After successful authorization, there will be a second fake page with similar content: "Security check, enter the code from sms:"
Below I will describe why this is.
As soon as the fake fake is ready, we need to change the dns of the victim. having access to a computer, it is not difficult to do this (you can even through the hosts file or a router), for example, through rat or write a batch file.
How will it work?
We need an android emulator, put Qiwi on it. We just need to connect the mobile application, but the victim will not know about it)
When the victim enters the Qiwi from his computer, he will be sent to our fake. He will enter the data, we need to quickly fill them in the application in the emulator, when the mammoth is on the second page with "Enter the code from sms", we come up with a pin code, the victim will be sent an SMS just at this moment. The victim enters the code, we enter it in the attachment and we have access to the wallet, we can safely transfer money to ourselves. Everything can be easily (no) automated. To the victim, this looks like a simple security check. "I logged in, threw it out for a security check and received some kind of authorization code, entered it and dropped it into the wallet" only the qiwi does not warn that this is a mobile application connection
There is also an option with kiwi. I also think you can stir up the same with webmoney. Yes, as Pattifon said, it can be simpler (I will also tell you), but I used this option quite successfully, and it is worth implementing this scheme.
Wait for the next part.
