Programmatically creating textfree accounts.

Now that we have some of the basics out of the way, lets jump into something a little more in depth. In this exploit I will be showing how I was able to make oauth signatures that work with textfree's API's, and how I was able to programmatically create accounts. Before reading the rest of this page I would suggest you read about OAuth.

First, lets look at all interfaces we have with Textfree. Textfree offers a Web client, and an Android/IOS app. I started by looking at the webclient, but soon found that making an account requires you to fill out a captcha, and provide an email/phone number. Programmatically creating an account via the web client isnt going to happen.

Lets turn our focus to the Android/IOS applications. I first setup an Android emulator running android 5.1.1 since my physical Android runs Nougat. (You cant successfully man in the middle Nougat due to the fact that apps will not trust user approved ssl certs, more on here.) After setting up the Android emulator I started the MITM session and simply recorded all HTTP/HTTPS network traffic while I created an account inside of the app. The results show us that the packets are authenticated using OAuth.

Usually this would stop any sort of spoofed packet, repeating packet, or packet produced via a bot, but for some reason I was able to resend the same packet, and create an account. Later on I discovered that oauth_signatures are not hashed with a token before login. The consumer secret and base string are the only things used to create oauth_signatures before login.

Still, usually this doesnt matter due to the fact that oauth uses nonces and timestamps to prevent people from just resending the same packet over and over, but for some reason textfree doesnt check timestamps or nonces, the only thing they check is the oauth_signature. This means we can just copy and paste the Authentication header value and use it until the consumer key changes.

So, to be clear we have the ability to send as many login packets although we dont know the consumer key though.

But wait, I said I was able to create oauth_signatures, not just copy and paste header values. Well remember how textfree has a web client? Well the webclient also uses oauth, this means that in order for the webclient to have authenticated packets it has to have the consumer secret. So lets look for it.

After a short 5-10 minutes I found a varible name called "consumerSecret". Textfree didnt even bother to obfuscate their javascript. I set a break point and reloaded the page. Staring me in the eye was the webclient consumer secret.

After some testing I found that the web client consumer secret only works for webclient interactions so trying to use the consumer secret that I found to make oauth_signatures from the Android app wont work...

So to conclude, I am able to create textfree accounts and sign web client packets. Due to time contraints this is where my project concludes.

Here is the full scale API for creating an account with textfree. Its very slow due to the fact multiple HTTP requests are required to create an account and all of them are made via TOR.