
How I Could Steal Money from Instagram, Google and Microsoft - adamnemecek
https://www.arneswinnen.net/2016/07/how-i-could-steal-money-from-instagram-google-and-microsoft/
======
jimrandomh
Do premium phone numbers have any remaining legitimate use? The last time I
remember hearing about them was in the context of a callback scam, where
scammers would call and hang up after one ring so that people would call the
caller ID numbers. Actual pay-per-minute phone services seem like a rare
special case that would be better served by having people type credit card
numbers into the line with their dialpad.

~~~
thesimon
Sometimes used for payment and donations, especially in countries where a lot
of people have phones but not credit/debit cards (e.g. Germany)

~~~
fludlight
How do Germans buy things online without credit cards?

~~~
kybernetyk
PayPal

Or SofortÜberweisung where you give the login data to your online banking and
a TAN to a shady 3rd party company and they perform the wire transfer for you
- while sending a confirmation to the merchant that the money has been sent.

No, this is not a joke.
[https://de.wikipedia.org/wiki/Sofortüberweisung](https://de.wikipedia.org/wiki/Sofortüberweisung)

~~~
martin_a
I am lucky to know nobody that uses this crap of Sofortüberweisung.

------
joshavant
In the article, the author mentions contacting Google + they instruct him to
attempt pen testing on please.break.in@gmail.com. Didn't know they maintained
an account like that. Interesting.

------
countryqt30
Do only I think that the rewards of 2000, 0 and 500 are incredibly low?

The motivation is much higher to keep the bug for yourself and create several
10 000 easily before anyone ever would notice.

~~~
morgante
I'm surprised they got anything at all.

A few hundred dollars a year is _nothing_ for these companies, not to mention
that if you actually tried to abuse this to a substantial level I am 100%
confident that it would be detected and blocked.

It's like filing a bug bounty that you can sign up for multiple AWS accounts
and mine bitcoins in the free tier. Up to a certain level, they just don't
care. Past that level, you'll be detected and mitigated against.

~~~
imaginenore
Doesn't AWS require a working credit card to start using the free tier?

~~~
neurostimulant
They also accept prepaid debit card. I use one in my account.

------
carl_corder
I understand how these call would cost Instagram/Google/Microsoft money. But,
could someone please explain why a call to a premium number "earns" the
account holder money?

~~~
haneefmubarak
So you can obtain a premium number, and then when anyone calls you on that
number they get charged the rate that you set per minute and after fees, you
get the money. That's how pay per minute phone services (esp. adult services)
work.

So what he did was to get one of those numbers and then have Google / Facebook
/ Instagram call that number repeatedly and that's how he would get money.

~~~
MustardTiger
But the phone company requires ID and bank info to obtain a premium number.
And then when you do this, google calls them to complain, and phone company
terminates your account, keeps the money, and reports you to the police for
fraud. Doesn't seem like a very good exploit.

~~~
MichaelGG
This isn't true. You can get such numbers all over the world; some you can
sign up for online and provide reasonably anonymity. You can make a lot money
doing scammy-stuff and the risk of being prosecuted is pretty low. It's just
not worth trying to go after some guy with an account with a telecom in
Elbonia.

The cases of telecom fraud that I know of that were caught are usually due to
incredible arrogance on the perpetrator's fault. In one case, he actually
called the company he was attacking to gloat that they could never get him.
(The company used a super-vulnerable-yet-expensive switch that literally had
bugs like "&admin=1 gets superuser".) I've not seen a VoIP system that was
remotely secure.

------
thatusertwo
A friend runs some SIP networks, he said sometimes when hackers get access to
a line they make calls to premium numbers in North Korea and other places.
They can run up a 5000$ bills pretty quickly.

~~~
13of40
I think I recall viruses doing the same in the early 90's, so this isn't
exactly a new idea.

~~~
fit2rule
In some parts of the world it was the kind of thing you could have happen to
the household by just letting your stupid little brother look at one or two
naughty ads in the back of a magazine ..

~~~
germanier
I think there was a TV show or ad instructing children to pick up the phone
and hold it near the TV which then was playing dial tones.

~~~
1just4this
please source someone!!!

------
tormeh
If you haven't already, call your phone provider and tell them to disable
premium calls/texts/services. They're obsolete and quite a number of them are
pure scams.

~~~
brianwawok
Why do the effort if I have literally never had it show up on my bill? If it
did I wouldn't pay it.

~~~
Can_Not
Does that actually work? I've always been curious if you could actually "not
pay it".

~~~
cgriswald
If you can convince your provider that the calls were not legitimate or the
premium number provider did not disclose fees, etc. your provider will
probably tell the premium number's provider to pound sand. Or convince them it
was your kid. At least in the US, people under 18 cannot make these calls and
so don't have to pay.

------
mgalka
Cool idea. My sense is that they would catch on before the amounts reached
anything substantial, but who knows. Either way, fun as a thought experiment.

~~~
azeirah
I wonder what "substantial" would mean to a company like google or microsoft.

Besides, if the exploiter spreads the calls out well enough, I wonder how long
it would take until it gets detected..

------
zappo2938
Reminds me of when I was a kid and used the next phone phone over to accept a
third party paying call. Or, when answering machines in the early 90s only had
two digit pass codes. I would change the out going message to to "yes yes yes
yes yes ..." so when the automated machine checked if the phone would accept
charges it would.

------
snowy
Any one else think that the bug bounty rewards were quite low?

~~~
Jarwain
Yeah, but it seemed that they were low because both Google and Microsoft value
the security of customer data over their own finances, and thus don't care as
much about exploits that drain their wallets. Resulting in a lower bounty.

~~~
rasz_pl
nah, Microsoft revealed they outsourced all the financial risk to a "partner"
and didnt care for it :-)

------
raresp
You certainly deserve a bug bounty bonus from all these companies.

------
paulpauper
amazing..so any service that sends an automated call to premium numbers can be
exploited in this manner

~~~
jfoster
The smaller ones would be using services like Twilio, I would imagine. Does
Twilio insulate users from this at all?

~~~
huehehue
Looks like the call fails and they return an error message.

"Twilio does not support outbound calls [...] to [...] premium rate telephone
numbers."

[https://www.twilio.com/help/faq/voice/what-types-of-phone-
nu...](https://www.twilio.com/help/faq/voice/what-types-of-phone-numbers-can-
i-not-dial)

------
mk89
Super cool!

When input validation doesn't stop at ";&' and similar :)

------
interdrift
How could they miss that?!

