Programmatically creating textplus accounts and sending texts.
Textplus a free texting and calling app like textfree. Unlike Textfree, Textplus doesnt offer a webclient. This limits us to only interacting with mobile applications. Thats ok, lets boot up our Android emulator and proxy. I've decided to start using charles proxy because it offers a better layout and I find it easy to work with even though its not free. Like my textfree hack lets start by looking over the application, and see if we can spot anything that would be a deal breaker (I look for recaptchas, anti bot software, and if the application works with TOR).
When creating an accout you are required to fill out a recaptcha. This is a deal breaker. Programmatically creating an account doesnt seam possible.
Looks can be deceiving. There is no correlation between the recaptcha and the registeration data. This means we dont need to complete the recaptcha. Let me be clear, I did bypass google recaptcha, textplus just didnt code it in all the way. Here is a PHP program that will create an account.
After you create an account the server will provide generate information that is vital for opperations later in the exploit (like sending a text).
For some reason the server responds to your registeration request with your account data in the header. I dont understand why this did this since they have been using json to transfer data between client and server for the entirety of the communication. This threw me off a little because I was expecting to get data back from the server the same way it was sent. After some looking around I found it.
Textplus uses a form of authentication that I have never seen used before. Probably because its really bad. They use some sort of two step authentication. You provide your username and password to "https://cas.prd.gii.me/v2/ticket/ticketgranting/service", which returns a "ticket". Here is a PHP program that will get a ticket for you.
With this ticket we move onto the second part of the authentication. You provide the ticket to "https://cas.prd.gii.me/v2/ticket/service" which returns another "authenticated" ticket. Here is a PHP program that will get you an "authenticated ticket" (make sure to provide all information).
The "granted ticket" is required in every single request after login. This is their from of user authentication.
With the granted ticket we move onto the next part of the process which is assigning a number. We first start by getting a list of avalible phone number locations. We will want to keep our eye on the "locale" values as seen here:
Now that we have the "locale" information, we can go ahead and register our device. This is how we are assigned a number.
From my knowledge the google push token seams to be static. I have had no issues reusing it over the past few weeks.
An another note, this step isnt actually required. We dont need to register a device because when we make an account textplus automatically assigns us a temporary number even though in the app if you havent registered a number you cant send a text.
This next part is how we can bypass device registeration. Even without a number we can still "invite" people via text or email. Our interest it in the invite via text, which by the way textplus allows us to make a custom invite.
Few things to keep in mind:
Keep in mind that when you invite people you make money in the app itself which can be spent to make phone calls....
Keep in mind that every account is assigned a different number. This means that every text that is sent via an invite is from a different number.
Here is a PHP program that will create an account, setup a number, and send a text to a number specified by you.
As you can see we are allowed to set custom text.
Here is the text coming through: