Textplus - Tue, Apr 2, 2019
Download link: Textplus
Textplus is a free texting and calling app like textfree. Unlike Textfree, Textplus doesn’t offer a webclient. This limits us to only interacting with mobile applications. That’s ok, lets boot up our Android emulator and proxy. I’ve decided to start using charles proxy because it offers a better layout and I find it easy to work with even though it’s not free. Like my textfree hack let’s start by looking over the application, and see if we can spot anything that would be a deal breaker (I look for recaptchas, anti bot software, and if the application works with TOR).
When creating an account you are required to fill out a recaptcha. This is a deal breaker. Programmatically creating an account doesn’t seem possible. Looks can be deceiving. There is no correlation between the recaptcha and the registration data. This means we don’t need to complete the recaptcha. Let me be clear, I did bypass google recaptcha, textplus just didnt code it in all the way.
After you create an account the server will generate information that is vital for operations later in the exploit (like sending a text). For some reason the server responds to your registration request with your account data in the header. I don’t understand why this did this since they have been using json to transfer data between client and server for the entirety of the communication. This threw me off a little because I was expecting to get data back from the server the same way it was sent. After some looking around I found it.
Textplus uses a form of authentication that I have never seen used before. Probably because it’s really bad. They use some sort of two step authentication. You provide your username and password to “https://cas.prd.gii.me/v2/ticket/ticketgranting/service", which returns a “ticket”. Here is a PHP program that will get a ticket for you.
With this ticket we move onto the second part of the authentication. You provide the ticket to “https://cas.prd.gii.me/v2/ticket/service" which returns another “authenticated” ticket. Here is a PHP program that will get you an “authenticated ticket” (make sure to provide all information).
The “granted ticket” is required in every single request after login. This is their form of user authentication. With the granted ticket we move onto the next part of the process which is assigning a number. We first start by getting a list of available phone number locations. We will want to keep our eye on the “locale” values as seen here:
Now that we have the “locale” information, we can go ahead and register our device. This is how we are assigned a number.
From my knowledge the google push token seems to be static. I have had no issues reusing it over the past few weeks. On another note, this step isn’t actually required. We don’t need to register a device because when we make an account textplus automatically assigns us a temporary number even though in the app if you haven’t registered a number you cant send a text. This next part is how we can bypass device registration. Even without a number we can still “invite” people via text or email. Our interest is in the invite via text, which by the way textplus allows us to make a custom invite. Few things to keep in mind: Keep in mind that when you invite people you make money in the app itself which can be spent to make phone calls…. Keep in mind that every account is assigned a different number. This means that every text that is sent via an invite is from a different number.
As you can see we are allowed to set custom text. Here is the text coming through: