Hi all,
Working on two factor authentification for a app and using the Clickatell SMS plugin in Aware for the SMS (sends out the code) and noticed Aware uses regular HTTP and not HTTPS when calling the Clickatell API. If Aware sends the code out in the open, anyone could monitor and swoop that up and then use it to "bypass" the two factor auth which makes the whole thing flawed / useless. Any security guys (or Awaresoft) out there that can comment on this? Why isn't HTTPS used? What / how big are the risks using HTTP? What would it take to monitor and swoop up SMS sent from a server via HTTP?
Thanks
Two auth Clickatell flawed?
Two auth Clickatell flawed?
Henrik (V8 Developer Ed. - Windows)
-
- Posts: 7526
- Joined: Sun Apr 24, 2005 12:36 am
- Contact:
Re: Two auth Clickatell flawed?
Hi Henrik,
Aware IM uses whatever URL was in the Clickatell documentation. All questions should be directed to them.
By the way, is your Clickatell plugin still working fine? We have a customer who complains that it's not working for him and that Clickatell has changed some API, that broke the existing code.
Aware IM uses whatever URL was in the Clickatell documentation. All questions should be directed to them.
By the way, is your Clickatell plugin still working fine? We have a customer who complains that it's not working for him and that Clickatell has changed some API, that broke the existing code.
Aware IM Support Team
Re: Two auth Clickatell flawed?
Ok, then it is HTTP and is not ideal. I will see if it´s possible to just use HTTPS with the API instead. Can I then fix this myself if I just open up the plugin JAR files in some Java tool (is it as easy as changing the URL some place in the JAR files?). Yes, my plugin still works but I am on the old communicator platform and Clickatell has made some new stuff so all new accounts use some new platform where the API might be different (it is possible to request to come over to the old platform though so advise the person to try that).aware_support wrote:Hi Henrik,
Aware IM uses whatever URL was in the Clickatell documentation. All questions should be directed to them.
By the way, is your Clickatell plugin still working fine? We have a customer who complains that it's not working for him and that Clickatell has changed some API, that broke the existing code.
Henrik (V8 Developer Ed. - Windows)
Re: Two auth Clickatell flawed?
"Yes, my plugin still works but I am on the old communicator platform and Clickatell has made some new stuff so all new accounts use some new platform where the API might be different (it is possible to request to come over to the old platform though so advise the person to try that)."
Thats's correct, the plugin does not work with the new Clickatell API....
Thats's correct, the plugin does not work with the new Clickatell API....
Independent Developer
-
- Posts: 2413
- Joined: Mon Jul 02, 2012 12:24 am
- Location: Ulaanbaatar, Mongolia
Re: Two auth Clickatell flawed?
I use BulkSMS which uses https and works flawlessly. And does not need a plugin.
Cheers,
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Re: Two auth Clickatell flawed?
- Can you select multiple entries and bulk send a template SMS?
- choose or define the sender ID ( mobile phone number ?
- is is opening a Tab for each sent SMS ?
- choose or define the sender ID ( mobile phone number ?
- is is opening a Tab for each sent SMS ?
Independent Developer
-
- Posts: 2413
- Joined: Mon Jul 02, 2012 12:24 am
- Location: Ulaanbaatar, Mongolia
Re: Two auth Clickatell flawed?
I use it for sending SMS notifications to a distributions when a Safety Incident has occurred (can vary every incident)
You can set an sender ID
Not sure what you mean by opening a Tab for each sent SMS
Here are the features http://www.bulksms.com/features/
You can set an sender ID
Not sure what you mean by opening a Tab for each sent SMS
Here are the features http://www.bulksms.com/features/
Cheers,
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Re: Two auth Clickatell flawed?
I recommend Telerivet and PHP for OTP with HTTPS
its the most reliable way to send OTP and cheapest using your own phones.
you can have sms request sent to aware with their webhook if you need too.
its the most reliable way to send OTP and cheapest using your own phones.
you can have sms request sent to aware with their webhook if you need too.