Tata Docomo scam!

  • Thread starter Thread starter dextermorgan
  • Start date Start date
  • Replies Replies 39
  • Views Views 10,407
Status
Not open for further replies.
chromaniac said:
if anyone is stupid enough to type the url and run it on his phone, he should get penalized for it 😛
Click to expand...

I am on desktop!! No threat to me! 😀

Probably docomo just sees the ID and then activates the plan on number associated with that ID.
 
I was planning on discontinuing this service since a long time. This incident just pushed me to actually do it.

I don't plan to recharge this shitty number again more than 10rs at a time. Should have enough balance to port if iremember right.
 
No shit a GET request can activate stuff, but only script hosted on Jaljeera's server. If it activated a request on Docomo's server, then it's because of shitty coding by Tata people, and a CSRF vulnerability. However, if you opened the link using android default browser, (or maybe even in chrome) it's possible that it exploited known vulnerabilities in order to send an SMS via Android framework, but otherwise it shouldn't be possible. Write to docomo, and ask if any SMS or Calls have been made from your number around the time you received message. Also check with them HOW it got activated (over the web etc. or sms)

If one of you is on Docomo but iOS, try opening the link.
 
I once got a sms from tata docomo that i had subscribed to caller tune service and lost rs35/- from balance, had to get into huge argument with CC and luckily was refunded the amount.

There is nothing new about such subscriptions this is regular practice with telecom operators.
 

poiasd said:
There is soem serious shit going on.... by changing the BirthdaySms in cat parameter to birthday, you get a nasty error page and a lot of info... I knpw Python, PHP, Javascript HTML c++ and more, but not Java, maybe one of you can figure out what's going on at:
http://www.jaljeera.com/Tata/index.jsp?cat=birthday
Click to expand...

No serious shit is going on.it is just a Java exception.normally you catch exceptions and display an error page to the end user in case of some unexpected errors.At most, we can call it shitty coding.

Also,server at jaljeera could be making requests to docomo servers after getting requests from GET parameters,Or accessing docomo database directly.so instead of exposing docomo server urls in the SMS they are using jaljeera server to forward requests.

jal jeera 😀
 
This is simple.
  1. Become tata docomo payment agent
  2. First send request to Tata docomo about plan on behalf of user (without user knowing it)
  3. Tata docomo sends activation code back to jaljeera (because request is from trusted agent)
  4. Generate "direct" confirmation URL and send it to user by SMS
  5. User clicks it - Jaljeera now has proof to show to docomo look - "he clicked confirmation URL". Same log would be there in tata docomo server logs too.
  6. Request goes to tata docomo to activate plan and they OBLIGE!
 
Well since calling customer care is being charged, they're committing fraud. Im going to complain in govt portal. They have come to good use in the past, lets see if it still works.
 
I'm pretty sure that if online request is being sent, then tata can only approve of the request if it is being made from the user ID of the guy. I'm pretty sure that there is probably some vulnerability in tata docomo database or servers
 
exactly. they're basically saying "We'll send you spammy links all the time ..don't click on them. what? you clicked on them by mistake? lolbro, let me charge you 45bucks"

And they keep on sending this msg, Im actualy wary of recharging this number.
Ei7jyQD.png
 
Status
Not open for further replies.

Top