Website executing javascript in SMS message

[thomas sjogren <t_sjogren () POSTMASTER CO UK>]

Affects: mtnsms.com and possibly other similar services
About mtnsms: 4,336,000+ members, 211 partner networks in 85 countries and growing ...
mtnsms.com notified on Feb 13 2001

Comment from mtnsms.com on Feb 15:
"not sure why you sent us that? got a problem with spamming?"

Problem description
Any html or javascript included in a GSM SMS (short message service) message, sent or recieved, will
be activated when a person enters the page with the message on it (Inbox or Outbox).

Impact - spamming
I haven´t tested this, but in theory it is possible for spammers with a SMS spam program to send
messages, including the meta refresh code, to all of the users of mtnsms.com. The result would be
that when a member enters their inbox he or she will directly be sent to the website chosen by the
spammer. It will also be very difficult, specially if a high speed connection is used, to remove the spam
for the user.

Impact - individual/mass sabotage
Instead of spamming, the sender could include malicious code in the message causing the browser to
crash or the computer to freeze. One method is to include the meta refresh code, sending a member
to a webpage with, for example, the "Self Referenced Frames Crash" which affects various o/s and/or
the "Invalid WAVE Crash" (Bugtraq June 1999).

Impact - sender generated
The really annoying part when it comes to security is that the users themselves often cause more
problems then outside attackers. This is the issue here as well. If a user sends a message containing
code, the code will activate when the users visits the Outbox page.




--
url: www.freespeech.org/screams

-----BEGIN PGP SIGNATURE-----
iQA/AwUAOj+s0Epl7KAh2d9BEQK9pwCf
Qt7re02wzZxcGJPyqQyWWQAFnPMAn2yf
EdhkgV7kgJXEXPomwWapRj4K=No9l
-----END PGP SIGNATURE-----