SMSWithoutBorders (SWOB) is an open-source platform that enables secure communication with online services using SMS messages in the event of an Internet shutdown. This proactive method requires users to prepare the app by storing access to their online platforms while they have an internet connection.
Through OTF’s Red Team Lab, Radically Open Security (ROS) carried out a penetration test for SWOB. The scope of the penetration test was limited to the SWOB Android app and back-end code, designed to assess the app and code’s security and to find any vulnerabilities or exploits. ROS performed a “crystal box” penetration test, where the testers have the source code (or full configuration information of infrastructure components) while performing gray box testing, where the tester has credentials to log into the app for various rules (e.g.: user, administrator, etc.).
The test discovered a high-severity vulnerability concerning the lack of input validation in one of the endpoints, leading to a reflected cross-site scripting vulnerability. This means that an attacker can inject a cross-site scripting payload in the [id] value when a user syncs saved tokens upon logging in or signing up (the [id] value being the user’s username or ID). A successful attack could lead to a session hijacking, credential theft, or the client’s system getting infected with malware.
This vulnerability has been addressed and resolved by SWOB.
ROS found several medium-to-low vulnerabilities that have been addressed by SWOB. In follow-up retests by ROS, all previously discovered vulnerabilities were found to have been resolved.
The full penetration test for SMSWithoutBorders can be found below.