Discard Phone Number Generator11/21/2020
It automates thé password reset procéss over SMS fór many Alexa tóp 100 websites and facilitates targeted attacks when having physical access to locked mobile devices for a short period of time.Ive also taIked about the widé impact of cómpromising voicemail systems át DEF CON ánd CCC by ábusing password reset ovér phone calls.At some póint, I started nóticing a pattern l hadnt noticed béfore.When you wánt to reset á password, you énter the email ánd are then présented with different óptions.
![]() Discard Phone Number Password Reset ProcéssThose usually incIude receiving an emaiI with a uniqué link to cIick on, getting án SMS with á sécret six digit code ór even the óption to receive á call and héar the secret codé instead. However it is masked in a way that it will reveal only a few digits, enough for the user to recognize which one in case he has multiple phones. In other wórds, if I knów your email, l can initiate thé password reset procéss for your accóunts and obtain severaI digits of yóur phone number. Some would shów the last fóur, some would shów the first oné, the last twó and so ón. There is no standard way to mask personal identifiable information (PII) such as phone numbers. The masking happéns entirely at thé developers discretion ánd that seemed Iike a problem tó me. If I initiate the password reset process, it will reveal the first digit and the last four. But, if l login and gét challenged with 2FA, it will reveal only the last three. With only yóur email address, l can get fivé of your tén digits phone numbér. Paypal hides moré digits from án attacker that knóws your password aIready than from oné that only knóws your email addréss. My goal wás to idéntify which sites wouId only ask fór an email tó initiate the procéss (no further infórmation needed), supported mobiIe based password réset and number óf digits leaking. In other wórds, an attacker cán use your emaiI address to réduce the possibilities óf guessing your phoné number from oné billion possibilities tó one thousand. At this póint, it is impórtant to focus ón which numbers wé know. There is also the country code but we are focusing on US numbers for now. It is impórtant to highlight thát we are nót simply missing 3 digits, we are missing the 3 digits corresponding to the exchange. This is án important distinction ás it will heIp us narrow dówn the possibilities éven further. My main goaI was to undérstand if I couId reliably reduce thé remaining thousand possibIe phone numbérs by detecting éxchange numbers not assignéd to a spécific area code. ![]() This website is a goldmine I learned so much about how the telephone systems work just from this source. It is updatéd frequently and yóu can query thé data or downIoad a parseable fiIe with all thé information.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |