Anonymous call triggering in Plivo application
Plivo is a platform that simplifies how businesses integrate communications into their applications. They provides a host of services for building your own communication application. It primarily includes SMS & voices services.
I’ve built a web application “Click-to-call” which can be integrated into any website for using their client-side browser SDK. This application enabled the website user to directly call to the concerned business using the browser without any additional device or sharing the personal details. Alternatively, there was an option to trigger a call to the
This option used a server side script to be triggered which will return an XML to be passed on to the Plivo services for triggering the call.
After a while, there was a strange call getting automatically triggered without real-user entering the mobile number in the application. This quickly depleted the credit of the Plivo account of the client. Within a few minutes, the credit was fully depleted. Urgent attention was required to figure out the root cause of the attack.
Steps for Debugging
Investigating for a while, the root cause was identified as our XML generating PHP script could be called by anyone by passing the appropriate POST parameters to the URL. If this loophole is detected by a hacker, he can easily trigger anonymous calls using that exploit.
This issue was fixed by added an extra check to the source and verifying the IP where the PHP is getting triggered. As a result of this, simple yet
Lessons to be taken
- Never expose server-side script to take POST parameters which can lead to any exploit.
- If scripting needs a
parameterto be supplied, validate it thoroughly and put extra security checks if needed.
If you like to build a similar application for your website using Plivo, please contact me.