Every time I come across this, I never cease to wonder how it is possible that a large company can have SUCH security holes.
In general, if you think that selling something with Avito delivery, your money cannot be stolen, you are mistaken.
It turned out phenomenal: Avito has the ability to change his email address by phone. All you need to do is call from the linked number and inform you that you want to change your E-mail.
I wrote about the technical possibility of changing the number when making a call three years ago (https://ammo1.livejournal.com/996419.html ). After the story with Navalny, everyone knew about such an opportunity, except for Avito's support.
Any petty crook can use the phone number spoofing application and change the E-mail in your Avito account. And having changed the Email, he will be able to change the password using the password recovery function. At the same time, no notifications are sent to the old (real) Email.
When sending goods by Avito delivery, the seller's phone number associated with the Avito account must be indicated on the parcel label. This number can be seen by many people, ranging from the receiver at the Boxberry point or at the Russian Post office and ending with everyone who participates in the delivery. At any stage, it is enough to take one photo of the package to get a phone number. And then everything is simple: they change the e-mail immediately, wait for the buyer to pick up the parcel, immediately change the password, go into the account and withdraw the money to their card.
The fact that people are logged into their account from another country does not bother Avito at all, but such a warning comes to someone else's email.
Avito also does not bother at all that all manipulations with the account occur at the moment when Avito is delivered.
Using this simple machination, the attackers stole 119,000 rubles for just one delivery, but this story is certainly not unique.
The victim, conducted his own investigation and described the whole story in detail here .
I would very much like to hope that Avito will pay attention to this situation and at least add a notification to the old Email when trying to change the e-mail by phone, and confirm this action by SMS.
And it will also be correct if Avito reimburses all losses suffered from the security hole in the "Avito-Delivery Safe Deal".
© 2021, Alexey Nadezhin
For ten years I have been writing every day about technology, discounts, places of interest and events. Read my blog on the site ammo1.ru, in LJ, Zen, Mirtesen, Telegram .
My projects:
Lamptest.ru. I test LED lamps and help figure out which ones are good and which ones are not.
Elerus.ru. I collect information about domestic electronic devices for personal use and share it.
You can contact me in Telegram @ ammo1 and by mail [email protected] .