Send to WP7 (previously Chrome to WP7) is an app on Windows Phone 7 that allows users to send text, web links, images etc. to their WP7 handsets directly from the browser. It resembles in it's purpose Google's Chrome to Phone utility, however, its security model is way poorer, and even insecure by default.
While Google Chrome to Phone uses OAuth to authenticate users along with their Google accounts, Send to WP7 generates a 6 chars hex number which is calculated from a random GUID generated when the app is started for the first time. This code is then used by the extension to send data back to daveamenta.com server, waiting to be served when the WP7 client fetches the updates.
Since there is absolutely no validation process on the server and the design of the app that makes it impossible to verify who is sending to who depending only on the randomly generated code, abusing this app is just like taking a walk on the shore.
Sending data to a WP7 device is done by a POST request to http://www.daveamenta.com/wp7api/com.davux.ChromeToWindowsPhone/ with the random code of the user as the only piece identifying him.
Theoretically, there are over 16777216 different available codes for a 6 char hex number, a naive method would be to iterate through all these and fetch the correct ones:
This above program would do -a very lengthy- sequential probing to check for all the codes that return "OK" in the response and list them on the console.
As you can see, you can send any message and even links to your apps on the WP7 Marketplace (which once clicked would open the Marketplace directly) to all the users of "Send to WP7", and of course retain their codes for future spamming eventually.
On the other hand, it is not clear how the data users exchange with their devices is handled. Does it get archived in the server forever? Does a deletion from the WP7 client entail a deletion from the server etc. I believe users of this app should get answers of all these questions and of course must expect a minimum of security where only them could eventually send data to their phones.
//I cannot be held responsible for any abusive use of information I present here, this post is merely a showcase of bad security design.
While Google Chrome to Phone uses OAuth to authenticate users along with their Google accounts, Send to WP7 generates a 6 chars hex number which is calculated from a random GUID generated when the app is started for the first time. This code is then used by the extension to send data back to daveamenta.com server, waiting to be served when the WP7 client fetches the updates.
Since there is absolutely no validation process on the server and the design of the app that makes it impossible to verify who is sending to who depending only on the randomly generated code, abusing this app is just like taking a walk on the shore.
Sending data to a WP7 device is done by a POST request to http://www.daveamenta.com/wp7api/com.davux.ChromeToWindowsPhone/ with the random code of the user as the only piece identifying him.
Request URL: http://www.daveamenta.com/wp7api/com.davux.ChromeToWindowsPhone/The server then returns "Client Not Found. Check Pair Code." if the code used is not associated to any device, or "OK - No notification" upon success. Using these information, we can run a large scale "empty message" spamming to retrieve the valid codes associated to actual devices, or send a wave of spams directly without having to check for validity.
Request Method: POST
Query String Parameters
title: some title
url: http://martani.net
sel:
type: page
passcode: ABCDEF
Theoretically, there are over 16777216 different available codes for a 6 char hex number, a naive method would be to iterate through all these and fetch the correct ones:
This above program would do -a very lengthy- sequential probing to check for all the codes that return "OK" in the response and list them on the console.
As you can see, you can send any message and even links to your apps on the WP7 Marketplace (which once clicked would open the Marketplace directly) to all the users of "Send to WP7", and of course retain their codes for future spamming eventually.
On the other hand, it is not clear how the data users exchange with their devices is handled. Does it get archived in the server forever? Does a deletion from the WP7 client entail a deletion from the server etc. I believe users of this app should get answers of all these questions and of course must expect a minimum of security where only them could eventually send data to their phones.
//I cannot be held responsible for any abusive use of information I present here, this post is merely a showcase of bad security design.
