Bugtraq mailing list archives
Website executing javascript in SMS message
From: thomas sjogren <t_sjogren () POSTMASTER CO UK>
Date: Thu, 15 Feb 2001 18:16:12 +0000
Affects: mtnsms.com and possibly other similar services About mtnsms: 4,336,000+ members, 211 partner networks in 85 countries and growing ... mtnsms.com notified on Feb 13 2001 Comment from mtnsms.com on Feb 15: "not sure why you sent us that? got a problem with spamming?" Problem description Any html or javascript included in a GSM SMS (short message service) message, sent or recieved, will be activated when a person enters the page with the message on it (Inbox or Outbox). Impact - spamming I havenĀ“t tested this, but in theory it is possible for spammers with a SMS spam program to send messages, including the meta refresh code, to all of the users of mtnsms.com. The result would be that when a member enters their inbox he or she will directly be sent to the website chosen by the spammer. It will also be very difficult, specially if a high speed connection is used, to remove the spam for the user. Impact - individual/mass sabotage Instead of spamming, the sender could include malicious code in the message causing the browser to crash or the computer to freeze. One method is to include the meta refresh code, sending a member to a webpage with, for example, the "Self Referenced Frames Crash" which affects various o/s and/or the "Invalid WAVE Crash" (Bugtraq June 1999). Impact - sender generated The really annoying part when it comes to security is that the users themselves often cause more problems then outside attackers. This is the issue here as well. If a user sends a message containing code, the code will activate when the users visits the Outbox page. -- url: www.freespeech.org/screams -----BEGIN PGP SIGNATURE----- iQA/AwUAOj+s0Epl7KAh2d9BEQK9pwCf Qt7re02wzZxcGJPyqQyWWQAFnPMAn2yf EdhkgV7kgJXEXPomwWapRj4K=No9l -----END PGP SIGNATURE-----
Current thread:
- Website executing javascript in SMS message thomas sjogren (Feb 15)
- <Possible follow-ups>
- Re: Website executing javascript in SMS message thomas sjogren (Feb 16)