Introduction - Call me back function
A while ago, while visiting the ziggo (a telecom company) website, I came across the call me back function. I tested the function and noticed that you were immediately called by ziggo’s customer service. I immediately got the idea that this function could be abused. After looking at the api calls I found out that the API was provided as plain text in every request.
By writing a simple script it was possible to have multiple phones calling as the ziggo customer service.
Attacks can call in the name of Ziggo. It is possible to use the automated phone service to harass other persons/companies in the name of Ziggo (Denial of Service). When this vulnerability gets discovered by others, it could cost Ziggo money and decrease it’s image.
Steps to reproduce - Report
Ziggo does not respond to the request to put my findings online.The document is only available for teachers at the moment.