CSP-CERT® Resources:
Bypassing Globe Telecom's Online Portal's Login

by CSP-CERT® VAPT Team Manager - John Patrick Lita
posted October 2017



Good day! hello everyone jaypee again and another article i want to share to you guys, this finding was reported and discovered in Thu, May 12, 2016, when one of my student that i mentor in applications security Eugene Labrador having discussion with me and suddenly we came up on the globe online portal and discover this security flaw or in other term bad habit in programming that resulting to authentication bypass.


when i register on the globe portal we notice something on the source code "skiddie moves" or the "view source" on the source code we notice a very interesting on the source code that our curiosity triggered to test it.


on the source code we saw this line of codes




if you notice the

window.location.href = "https://accounts.globe.com.ph/login?email=" + email;


there is no security implementation on the source code. if a malicious user discover this insecure programming the impact of this vulnerability is HIGH RISK, because the malicious attack can conduct a fake survey to all globe clients and gather all their email address and the malicious attacker can take over on the globe telecom customer.



ATTACK SCENARIO

  1. Attacker will copy the url on the source code

  2. and paste it on the Address Bar

  3. then input the customers email address use in globe telecom online portal

  4. and the attacker now has the access on the account of the victim


This vulnerability is fix within just a week and the globe take action on the issue ASAP