Missed call verification method lets user "verify" arbitrary numbers

[ossguy]

Expected behavior

A user cannot verify a number that they do not control.

Actual behavior

Users can easily "verify" numbers that they do not control by using the missed call verification method and spoofing their caller ID.

Steps to reproduce

1. Perform a new installation of Kontalk on a phone with no SIM card.
2. Enter a name and an arbitrary phone number on the first step of the setup wizard.
3. The wizard will then present the user with a number to call.
4. User can call the number from step 3 using a VoIP carrier that lets you set your caller ID to the number from step 2 (there are many of them - I can privately provide a list if needed).
5. User has successfully verified an arbitrary number, which they might not own, nor have any relation to.

Environment

Kontalk version: 4.0.0 (220) from F-Droid

Other

The only real way to verify that someone owns a phone number is by calling or texting the number with some (ideally) cryptographically-secure random number that they then confirm. While sender ID spoofing for SMS is generally harder than caller ID spoofing for calls, it is best to not rely on one's ability to send SMS from a given sender ID for number verification either.

[daniele-athome]

Thanks for reporting. I knew about this issue but decided to go on anyway and try it (at least for some time) because secure verification is very expensive (I mean very). The fallback method uses SMS-based verification (server sends a code to the user), which is more expensive as I said. The old primary method used server-initiated missed calls, which is expensive anyway because users answered the call even when the application explicitly said "do not answer the call" in capital letters and bold font. I don't know what else to do man.
I though of also using other 3rd party methods (e.g. Telegram-based verification), but it always got delayed because of other stuff to do. Any other suggestion? I mean both for securing the current verification method and to try alternatives.

[ossguy]

@daniele-athome JMP, a free software project I work on, would be happy to sponsor the outgoing SMS verification (including voice fallback) if Kontalk would be willing to add something like this to the bottom of its verification screens:

"Verification powered by JMP.chat" (JMP.chat linking to https://jmp.chat/ and perhaps with a JMP logo)

We have some experience doing this sort of number verification as part of the JMP registration process, and we'd be happy to contribute that to Kontalk. JMP would cover all the costs of the aforementioned phone-based verification as long as we could use JMP's existing back-end to provide the service to Kontalk. I don't expect it would be too hard to integrate the JMP back-end into Kontalk's verification process, but I'm happy to discuss technical details about that if you like.

You can find me in the JMP group chat at [email protected] if you want to chat more about this in real-time or discuss with me privately (I'm "ossguy" there).

I agree that phone-based verification is best for Kontalk - the third-party options you mentioned seem ok, but unlikely to cover a large enough percentage of users to make the implementation worth it.

[daniele-athome]

That would be great, sure! Do you have some docs I can quickly look at for the integration process?
I'll enter the conference room as soon as I can.

[ossguy]

This should be taken care of primarily by kontalk/tigase-extension#77 - I can provide more details here if needed, but we can probably close this ticket in favour of that one.