funsec mailing list archives
Advisory Multiple smartphones MMS notification sender obfuscation released in Germany
From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Sat, 19 Sep 2009 18:14:17 +0300 (EEST)
http://www.silentservices.de/adv04-2009.html Summary: "Description: A MMS Notification is part of the MMS communication flow. Usually an originator sends and mms via a service provider (SP). After uploading the message to the SP, the recipient gets a MMS notification from the SP with information like originator, subject and URL of the content. In some mobile carrier networks it is allowed to send MMS notifications directly from one mobile unit to another. Some Smartphones fail to properly display the originator of this kind of message which leads to a sender obfuscation. Impact: This attack can be used in combination with social engineering to mislead the recipient to access the resource specified in the content URL of the MMS notification message. If the receiving device MMS client is configured improperly this could lead to automatically download whatever content is specified in the content URL. MMS clients which do not allow access to content URLs other that the providers MMS proxy should be safe from the content, but are still vulnerable to the sender obfuscation. In addition this attack can be used to send spam and hate SMS." --clip-- Discovered by: Michael Mueller a.k.a. c0rnholio Juha-Matti _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Advisory Multiple smartphones MMS notification sender obfuscation released in Germany Juha-Matti Laurio (Sep 19)