Introduction - Call me back function

A while ago, while visiting the ziggo (a telecom company) website, I came across the call me back function. I tested the function and noticed that you were immediately called by ziggo’s customer service. I immediately got the idea that this function could be abused. After looking at the api calls I found out that the API was provided as plain text in every request.

By writing a simple script it was possible to have multiple phones calling as the ziggo customer service.

Impact

Attacks can call in the name of Ziggo. It is possible to use the automated phone service to harass other persons/companies in the name of Ziggo (Denial of Service). When this vulnerability gets discovered by others, it could cost Ziggo money and decrease it’s image.

Steps to reproduce - Report

Download the Responsible disclosure report

Misconfiguration Reported

After reporting my findings, I sent Ziggo an email to look into the vulnerability as soon as possible. The next day I received an e-mail that they were going to take care of the problem.

Mitigation

After about 6 months, the feature was totally removed from the website. After this, the API was still available for about 4 months. I have asked ziggo if I may disclose the technical details and the process of the vulnerability? For my blog or a presentation at school.

I was also wondering what I would get as compensation based on section 2.4 of The Remuneration Policy in the Code of Conduct Responsible Disclosure documentziggo-gedragscode-responsible-disclosure.pdf
Unfortunately, I have not received an answer to these questions to date 😔

Disclosure Timeline

27-03-2019 - Vulnerability reported to Ziggo.
29-05-2019 - A/B test Ziggo
01-10-2019 - No response of ziggo, Found that the function was removed, API was still vulnerable.
04-04-2020 - API was disabled Still waiting for response
30-12-2020 / 04-01-2021 - Recontacted Ziggo for publishing the findings