K7: Free [for the taking] Voicemail
by noir
K7.net is a site providing free, web-based voicemail and fax services.
I'll be specifically addressing the voicemail service in this article, but I have no doubt that the following will apply to the fax services as well. I figured a free voicemail service with no hooks or hidden agendas, what's the harm in trying?
This article details exactly the harm found. And for the record, I did e-mail the company expressing my concerns and willingness to help, but shockingly I never heard back from them.
The basics of the service are very simple.
You sign up for your free account, they assign you your own phone number and you can now receive voicemails from that number either in your e-mail or by logging into the K7 site. You have the option to either let K7 pick one for you or search to find a vanity number.
When you register, the only information you have to provide is your e-mail, a 4-digit security code, how you found their service and the specifics on how you want to receive your messages. This is when I first started questioning their security practices. Your PIN must be 4-digits exactly and cannot start with a 0.
With all 9,000 possibilities this provides, somebody would be crazy to think they could have a script brute force an account. No matter, you'll see shortly that the strength of the PIN doesn't matter. On to the good stuff.
Let's head on over to voicemail.k7.net to log in and start playing.
After logging in, if you click on "Check Your Messages", the URL looks something like this:
Now go ahead and delete your voicemail.k7.net cookie for this session.
We certainly don't want the site to think you're trying to change your account when you're trying to change somebody else's; that could be disastrous.
The next step is a bit advanced, so hopefully I don't lose any readers with its complexity.
Change the PHONENUMBER in the URL to the number for the account you're interested in. Everyone still with me? If you click on "Modify Settings" you'll be able to see the user information for whomever has that number.
If all the fields on that page are blank it has either not been registered or it's not a number provided by K7. The use of this gaping security hole is clear.
If you got a new e-mail and want the voicemails sent there but you can't remember your PIN, now you can go in, update your e-mail and change your PIN to something you won't forget so easily next time (you silly goose). Or perhaps you don't want "yourself" to know that you're accessing the account.
You can just make sure the account is set to save messages to K7's site and just listen to them on there.
I'm sure you can figure out the rest of the possibilities at this point.
I think it's also important to note that K7 is owned by a company who also provides other phone services, including 800 services for businesses (Kall8). While the security on the other sites may vary, does the fruit fall that far from the tree?
-noir