GroupMe: A Modern Approach to Social Engineering

by Jacob

Social engineering is the art of manipulating people to give out sensitive information.

This is a true form of hacking on a non-technical level.  An example of social engineering is convincing someone that you are with a company that the victim is affiliated with.  Once you've convinced the victim, social engineering comes into play by asking for information such as address, phone numbers email addresses and more.

So what does GroupMe have to do with social engineering?

If you are unaware, GroupMe is a new and rapidly growing app on the Android Market as well as the Apple App Store that allows people to create groups.  With GroupMe , users are able to send one text message and have it sent to a group of people.  Sounds normal and very useful (which it is).  I've noticed that there is a flaw with this application.  Allow me to explain.

Once a user has installed the GroupMe application from the Market or App Store, they will need to verify their phone number by typing in a verification code sent to them via text message.  The cool thing about this application is that you can register the same phone number on multiple devices.  I tried this out using my Android device as well as an iPod Touch.  However, in order to view the GroupMe messages on a separate device, the verification code will be sent to the phone number that you are trying to register.

This is where we can use social engineering to gain access:

1.)  Install GroupMe on a device.  I would recommend using devices like an iPod Touch or a Tablet.

2.)  Install Google Voice on the same device and sign up for a phone number.

3.)  Type in the victim's phone number and have GroupMe send the victim a verification code.

4.)  Use Google Voice to send a text message to the victim asking for the verification code.

Step 4 is going to be the most difficult step in this process.

Don't give up though.  If a verification code has been sent to the victim by GroupMe as well as a follow-up text stating that the victim should have received a GroupMe verification code, the outcome should be in your favor.

The following can be a sample text that you can send to the victim asking for the GroupMe verification code:

Automated Response: This is a courtesy text message from GroupMe.

A verification code has been sent to you in a different text message
to verify your current GroupMe membership.  Please respond to this message 
with the verification code. 

Once the victim has responded with the verification code, plug it into your GroupMe verification.  Once it has successfully authenticated, make it look professional and respond to the victim with:

Thank you.  Your GroupMe membership has been verified. 

5.)  Delete the Google Voice account.

If you are successful, any messages that are sent to the victim's group will be received on the device you registered with.

You can then start gathering information that is being sent to and from the victim and begin the social engineering process.

Once you have access to someone else's GroupMe , you will then be able to view contact information for other people that are in the group.

You will then have opportunities to perform the same steps to other people within the group.  From there, you can branch out and find out as much information about your victim to prepare yourself for future social engineering attacks.

I do not support illegal activities.  I am just simply pointing out a potential social engineering opportunity/flaw that people need to be made aware of.  This tutorial is for educational purposes only.  I am not responsible for your actions.

Return to $2600 Index