How to hack WAP portals

---

NOTE: This post is based on my personal experience and is not intended to cause any malicious harm. I strongly believe that transparency is a necessity on the Internet, and will gladly post comments (and other view points) surrounding this topic in the interest of educating others on the need to plug security loopholes.

---

Quick tip on how to hack your way through WAP portals using Firefox.

Install the following Firefox add-ons:

• Modify Headers: used to add, modify and filter http request headers
• wmlbrowser: used to emulate a WML browser, although most mobile sites these days should be compatible with XHTML-MP

After restarting Firefox, both add-ons should be active.

To spoof your way through, do as follows:

In Firefox, click Tools > Modify Headers.

Add: x-up-calling-line-id, followed by a mobile number, e.g. 60128889999:


You should now see the header entry, and it should be "enabled" (green circle):


With this in hand, you can spoof your way through to initiate content downloads such as ringtones, wallpapers, and more. What's scary is that you can initiate downloads for random mobile numbers. Unless an SMS acknowledgement is part of the process, this random user will be charged the cost of the download. Screenshot below shows my spoofing experience with a content download via the Maxis WAP Portal. Thankfully, this one required an SMS acknowledgement: