How to secure SMS sending feature in web applications? If an application is using third party SMS gateway then SMS also can be spoofed. Like attacker can change mobile number with firebug and abuse SMS gateway to send spoof SMS like phishing message to the victim. How we can secure web application from this attack?
2 Answers
If the SMS gateway is vulnerable to these kind of spoofing attacks, it needs to be resolved at the SMS gateway provider.
In most countries it is also a law that the sending phone number can not be spoofed.
As far as a solution, I think what you could do is create an API that only accepts the SMS message from the web application.
A static phone number can be configured in the API's configuration. In return the API will send the request to the SMS gateway provider. This way an attacker can't see and modify the phone number as it is sent from the API.
- 5,813
- 2
- 19
- 26
-
Thnks Jeroen, Can you suggest any API? – Know Your Enemy Oct 29 '15 at 09:30
-
What technology do you use to build your web application? I assume you mean suggesting a framework for building an API? I personally am experimenting with the Slim PHP framework which actually works quite simple. – Jeroen Oct 29 '15 at 11:10
Unless you operate the telephony infrastructure from gateway to mast then the number can be spoofed.
A!though the data packet protocol was designed to support multiple application binding using port numbers in a similar manner to UDP (and hence send encrypted/signed multipart messages), in practice it would be difficult to provision such an appointment on most mobile phones.
So if you want to fix the problem then you just need to get every mobile operator and manufacturer in the world (or a significant majority of them) to agree on a new protocol.
Or just tunnel encrypted/signed data over WAP or email.
- 18,418
- 40
- 74