Plivo is a platform that simplifies how businesses integrate communications into their applications. They provides a host of services for building your own communication application. It primarily includes SMS & voices services.

I’ve built a web application “Click-to-call” which can be integrated into any website for using their client-side browser SDK. This application enabled the website user to directly call to the concerned business using the browser without any additional device or sharing the personal details. Alternatively, there was an option to trigger a call to the user’s mobile by using the option “Call my Mobile”.

Click to call Web Application
Click to call to Mobile Call Trigger

This option used a server side script to be triggered which will return an XML to be passed on to the Plivo services for triggering the call.

Voice call flow
Call Workflow

Problem Statement

After a while, there was a strange call getting automatically triggered without real-user entering the mobile number in the application. This quickly depleted the credit of the Plivo account of the client. Within a few minutes, the credit was fully depleted. Urgent attention was required to figure out the root cause of the attack.

Steps for Debugging

Investigating for a while, the root cause was identified as our XML generating PHP script could be called by anyone by passing the appropriate POST parameters to the URL. If this loophole is detected by a hacker, he can easily trigger anonymous calls using that exploit.

Solution

This issue was fixed by added an extra check to the source and verifying the IP where the PHP is getting triggered. As a result of this, simple yet effective solution saved money for the client.

Lessons to be taken

  1. Never expose server-side script to take POST parameters which can lead to any exploit.
  2. If scripting needs a parameter to be supplied, validate it thoroughly and put extra security checks if needed.

If you like to build a similar application for your website using Plivo, please contact me.