OnePlus 2 invite queue can be jumped by using Mailnator and Gmail APIs finds researcher

OnePlus has launched its new smartphone called OnePlus 2 which being sold on a special Invite Only mechanism. The invite system has a inbuilt refferal to refer your friends, near and dear ones to OnePlus for an invite. The OnePlus 2’s popularity is such that the invites are sold in the black market at a premium.

Engineering student, a bored one in his words, Jake Cooper has found a vulnerability in the OnePlus 2 referral system after he found out that he was at 70000 on the OnePlus 2 registration list. Angry at the referral and the invite only system, Cooper decided to test the referral system for vulnerabilities and finally found one.

When the OnePlus 2 waiting list first went live last week, Cooper, a long time fan of OnePlus registered and  was at number 9000 in line, which should have secured him a new smartphone. However, the company’s decision to let fans invite their friends to cut the virtual line quickly pushed Cooper down below position 70,000.

Instead of just giving up, Cooper decided to hack the website. He was able to shoot back up the list pretty quickly, eventually landing at position 1,694.

Proof of Concept (PoC)

Cooper went to OnePlus’ invite page and started manually sending links to disposable emails, hosted by mailinator.com. Surprisingly, they worked. He quick jumped to less then 50000 with this method and quickly sniffed a vulnerability in the system

Using Python, started extracting the request URL from the invite page using the Network tab in the chrome debugger and looking at the request URL.

OnePlus 2 invite referral list hacked by an angry fan

https://invites.oneplus.net/index.php?r=share/signup&success_jsonpCallback=success_jsonpCallback&email=test%40mailinator.com&_=1438634544515

The above response is the result of sending a request to test@mailinator.com. Cooper says in his PoC that once can request an email to any email in the form of :

https://invites.oneplus.net/index.php?r=share/signup&success_jsonpCallback=success_jsonpCallback&email={{name}}%40mailinator.com&_=1438634544515

where {{name}} is the name of the mailinator inbox you want to use.

A couple lines of python, and boom. He was able generate a 32 digit random string and use it as a new mailbox.

OnePlus 2 invite referral list hacked by an angry fan

This exploit allows anyone to send confirmation emails to any email using OnePlus’ system.

He further used the Mailnator API  to retrieve the entire mailbox using the further command :

OnePlus 2 invite referral list hacked by an angry fan

He then added the sleep timer

{‘messages’: [{‘to’: ‘test@mailinator.com’, ‘ip’: ‘198.2.132.96’, ‘fromfull’: ‘invites@oneplus.net’, ‘id’: ‘14385
98503–141602468-test’, ‘seconds_ago’: 2621, ‘subject’: ‘Confirm your email’, ‘time’: 1438598503781, ‘from’: ‘OneP
lus’, ‘been_read’: False}, {‘to’: ‘test@mailinator.com’, ‘ip’: ‘198.2.132.96’, ‘fromfull’: ‘invites@oneplus.net’, ‘id’: ‘1438598522–141603512-test’, ‘seconds_ago’: 2602, ‘subject’: ‘Successful sign-up for the reservation list’
, ‘time’: 1438598522985, ‘from’: ‘OnePlus’, ‘been_read’: False}]}

Cooper says that, “Initially, the value for the messages key was coming back as null. After some quick debugging, I ruled that the mailinator API must only create the inbox after a message has been received. Adding a sleep timer of 1 resolves the problem, but I ended up DOSing the OnePlus invite queue (I shit you not) and ramped it down to 1 req/5s.”

To access an emails body, you need the email ID. Some simple json drilling and we can easily extract it.

OnePlus 2 invite referral list hacked by an angry fan

Using the emailID, just request the email and drill through that to get to the body of the email.

OnePlus 2 invite referral list hacked by an angry fan

Here’s the result of print(content)

OnePlus 2 invite referral list hacked by an angry fan

Sprinkle a bit of Regex in there, and voila : The confirmation URL extracted.

OnePlus 2 invite referral list hacked by an angry fan

https://xkcd.com/208/

Put it all together and what do you get?

OnePlus 2 invite referral list hacked by an angry fan
He found out that the OnePlus 2 had a similar Gmail exploit. He has given the PoC of the Mailnator exploit here and the Gmail exploit here. His git is listed here.
He stated that the Gmail exploit can be used as follows

Steps to use :

  1. Fill in RESERVATIONID and APITOKEN at line 8-9
  2. Download and install Requests (https://docs.python-requests.org/en/latest/)
  3. Run! (python MailinatorExploit.py)

OnePlus has taken congnizance of Mr.Cooper’s efforts to find vulnerabilities in their invite system and have given him an early invite. The post says,

In both cases, we’ll make sure cheaters will find their time has been wasted. Unless, of course, you’re a white hat like RealJakeCooper, who will be getting an invite extra early for his efforts.

LEAVE A REPLY

Please enter your comment!
Please enter your name here