Hacking Obopay

Hacking Obopay

Goal: automated posting of payments to another person using pay-by-text service Obopay

Strategy: Multi-step curl form POSTs with faked user-agent.

Status: Mission Accomplished

0 Env

$ alias curlzilla='curl --user-agent "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"'

1 Casual visit

wap.obopay.com redirects to http://wap.obopay.com/SmartPath/wap?app=obopay

curlzilla "http://wap.obopay.com/SmartPath/wap?app=obopay"

On this page is the sessid I think

<form  action='http://wap.obopay.com/SmartPath/wap?app=obopay&amp;c=&amp;sid=obopay-1174080208662&amp;crt=REGISTER'  method='post'  >

From above: sid=obopay-1174080208662

export SID=sid=obopay-1174080208662

2 Login

PPPPPPPPPP = your phone #
XXXX = your PIN

curlzilla -d "TEXTBOX1=PPPPPPPPPP&TEXTBOX2=XXXX&submit-MAINMENU-Submit=Submit" "http://wap.obopay.com/SmartPath/wap?app=obopay&c=&sid=$SID&crt=REGISTER"

3 'Send money'

curlzilla "http://wap.obopay.com/SmartPath/wap?app=obopay&c=&sid=$SID&crt=MAINMENU&NEXT=PAY&aid=SENDMONEY"

4 Input recipient details

curlzilla -d "TEXTBOX1=9282745257&TEXTBOX2=1&TEXTBOX3=00&TEXTBOX4=test&TEXTBOX5=1371&submit-CONFIRM-Next=Next" "http://wap.obopay.com/SmartPath/wap?app=obopay&c=&sid=$SID&crt=PAY"

5 Confirm

curlzilla -d "POSTDATA=submit-RESULT-Send=Send" "http://wap.obopay.com/SmartPath/wap?app=obopay&c=&sid=$SID&crt=CONFIRM"

6 Bask in success

I will be going to the Brooklyn Brewery with my referrals.