Categories: Uncategorized

How I Hacked GroupMe – Accessing Other Groups Messages

How I Hacked GroupMe – Accessing Other Groups Messages

Hey guys!

This is a bit of an unrelated topic to the the whole MasterSelf ensemble, but I wanted to start sharing some of my technological adventures with the world.

This week I’m going to get into how to “hack” groupme and access messages from other groups and how I actually discovered this vulnerability.

A sharp eye

It all started out when I noticed something strange in my text messages. When I was part of a groupme group I would get sent these short URL’s when others sent emojis or other media in the chat.

Being a programmer by trade I noticed the specific reference to my message was encoded in that 7 letter string on the end of the link.

Assuming this is a case sensitive alpha numeric encoding that is 7^((26*2 )+10) combinations which is quite a bit — but easy for a computer to guess.

Spamming the server with requests

I fired up my HTTP request fuzzer(this tool basically allows you to generate random strings as website request in the attempt of guessing a correct URL)

and at first just started guessing the last 3 characters of the string. ( this only means 3^((26*2)+10) combinations)

Looks like the website doesn’t care if you spam it with request..

And Bingo I started seeing other messages.

Improvements?

Going forward it would be interesting to collect all the viable URLS and attempt find a pattern of how these are generated. I highly doubt that these 7 letter strings are generated randomly — they are probably the request of some hash function on a unique ID that it given to each message.

I have attempted to contact Microsoft about this issue but got no reply on my 2nd message asking if this viable for the bug bounty program.

Therefore I am going to release this to warn the public about how your group me messages are probably not as safe as you think…

Summary
Article Name
How I Hacked GroupMe - Accessing Other Groups Messages
Description
This week I'm going to get into how I hacked groupme and accessed messages from other groups and how I actually discovered this vulnerability.
Author
Publisher Name
MasterSelf
Publisher Logo
ardacole

I aspire to make myself stronger every day. Fresh college grad with a degree in Computer Science @ NCSU.

Share
Published by
ardacole

Recent Posts

Aesthetic Warfare and the Dream of the Beautiful World

There’s something I’ve been thinking about a lot recently- the role of beauty and aesthetic in the world. I’ve written… Read More

January 11, 2020

The Adversary

“For we do not wrestle against flesh and blood, but against principalities, against powers, against the rulers of the darkness… Read More

October 27, 2019

The Means are the End: Simple Stories and Distal Effects

There’s a concept that I use a lot that somehow I’ve managed to have not written about yet, so today… Read More

October 3, 2019

Lessons From My Father

By the time this article is posted, it will be my father John Dailey’s 50th birthday. I turned 25 this… Read More

October 1, 2019

Beyond Influence, VI: How To Wield Your Story Like A Weapon

[Editor's Note: Today, we have a guest post and the next article in our Beyond Influence series from my friend,… Read More

September 17, 2019

Beyond Influence, V: Autoimmune Influence Diseases (ft. The Huntsman)

[Editor's Note: Today we have the fifth chapter in our Beyond Influence series with a guest post from The Huntsman,… Read More

September 3, 2019