Dhiraagu WebSMS has been a dear friend to a lot of us. Some of us see it as a means of communicating with friends cheaply when we are strapped for cash while some others use it for more malicious purposes. Anyway, I took a different interest in it since its introduction some years ago.

Once upon a time...

When WebSMS was introduced, Dhiraagu relied on the interface scripts provided by Comverse for their SMS system purchased from Comverse. One part of the web interface had minor changes brought to sport Dhiraagu logos and copyright lines and was offered to the public as WebSMS. It was free for use and had no limits and no Dhiraagu signature lines appended. It was total fun! Ofcourse the fun was just beginning and I forayed into the scripts and ended up with access to the rest of the system that "websms" was actually part of... Dhiraagu then started to bring changes. I suspect these changes were politically influenced rather than being for their own financial or technical reasons.

First, Dhiraagu had a signature line appended to messages. The message was easy to get rid of by merely modifying the form data being submitted to the server. Ofcourse, Dhiraagu fixed it (sorta) in due time.

Next up, they decided to add user registration. It was still free thankfully. This was the first in a step of moves they've made to gather more and more specific data on the users. This initial user registration allowed anyone with an email address to open an account. This ofcourse meant, you can use throw-away free emails and aliases to open WebSMS accounts without revealing any real info on yourself.

Then few months later, the registration with email addresses was scrapped and people were required to have a mobile number to register. The old accounts were ofcourse purged after this change. This new change ruled out random people opening accounts and sending SMS - you needed to be their customer to send SMS via the web.

Sometime late 2004, they decided to limit the number of SMS to 10 per day per account. Now to implement this, they used a messed up implementation of sessions and cookies. When you login, you got assigned a cookie that set a key "Dhi" with a value of the form "12345%2cWanker%2cWho". Simply by altering the "12345", which is probably something meant to act as a session id, one could override the 10 SMS per day limit. By changing this value, you effectively assume the identity of another user - but all without any authentication! Simply change the number and you are good for another 10 SMS. Interesting thing was that user/session id didn't need to exist on their server - you could very well use 1000000 and move onto 1000001, 1000002 and so on for more SMS. I had the pleasure of getting my server blocked/ignored by Dhiraagu after I added this 'hack' to my Email2SMS service offered at the time via maldivianunderground.net - but the block wasn't placed until after my Email2SMS service had dispatched around 2000 SMS total using the 'hack' by the second/third day after they brought the "upgrade".

I should mention there were other interesting but less trivial flaws in the WebSMS system - like being able to reset the password for (all) users on the system via SQL injection. The database table they had, had the following fields (amongst others) : userid, username, password, mobileno. The login and password change facilities had SQL injection and logic deduction possibilities...

Soon after the 10 SMS limit "upgrade", in May 2005, Dhiraagu made another of its upgrades to make the messages that were being sent via the system seem to originate from the number of the WebSMS account holder. Uptil then, the originating number was "+000". This new upgrade killed the anonymity of messages being recieved by a WebSMS recipient. It killed the fun ofcourse and I had to find some way to get around it - just to piss off friends. It turned out Dhiraagu had simply appended the account holder's number to the cookie that is set when a user logins - and then uses that number from the cookie to represent the originating number whenever a SMS is sent. If you are having a hard time imagining how it looked, the cookie was of this form: Dhi=12345%2cJawish%2cJaa%2c770000. This opened up new possibilities! I could make SMS appear to originate from any number. I could make it that of a friend's or foe's. I could make the number an international one or even a landline one. Seeing my dad stare at the phone in disbelief when he received an SMS from himself was fun enough! Hehe.

Sadly, these "features" were fixed when Dhiraagu upgraded the system yet again in August 2005. No wild originating fun for now. I haven't messed around with it yet - much.

Psst. Tricks!

To finish off this lengthy post on Dhiraagu WebSMS, I'm sharing two neat tricks that you may like and still works on Dhiraagu WebSMS as of today.

No signature line: Don't want the "(Dhiraagu WebSMS)" line to appear in messages you send via the WebSMS system? Then simply add a equal sign ("=") as the last character in your post!

Long messages: Do you have some looonnggg message to send to someone and it's hard to fit in the 140 character limit that WebSMS imposes on you? Worry no more. You don't need to split the message into bits and send as separate messages and risk decreasing that dreaded 10 SMS limit you have for the day. All you need to do is disable JavaScript support in your browser temporary (It is an easy feat - consult your browser documentation on how to do this). When you type in the messages now, the limit counter will stay the same and you can go on typing forever. The messages are sent to the recipient as discrete SMS messages of text limit ~140 characters each. However, you will be penalized for only one SMS in the WebSMS daily limit counter.

Enjoy!

Update (14 Oct 2005): Dhiraagu has fixed the bugs that made possible the two tricks revealed above. Too bad

[Trring triing]
Hello, this is Jaa. I'm away right now, please leave a message at the beep.
[Beep!]

Hey ya! I'm calling in from Reading (UK) from the (dis)comforts of my room in a university accomodation hall. I flew in to Gatwick via Doha from the Maldives on Qatar Airways. The trip was bothersome and the planes were really a disappointment, really. The wait at Doha was terrible more so contributed by the horrible airport itself. The fellow at the boarding gate took a clean 5 minutes looking at my passport. At first I thought he had something in his eye and was using my passport as mirror - he surely had it up close to his eyes! Then he started eyeing me up and let me go after ages of waiting and getting wierd looks from fellow passengers. Just as I thought the hassle was over, the fellow came over as I was sitting the boarding lounge and took away my passport for another 15 minutes, all without a mention of what was up. Later he came back with it and was courteous enough to let me know there was something "abnormal" about my passport. Oh well, the Maldivian government issued the passport so I should let them know there is something abnormal with their passports...

On arrival to Gatwick, Qatar Airways had managed to loose my luggage somewhere - hopefully not into a deep ocean. I continued my journey to Reading -minus my luggage- on a train on which I kept falling in and out of some wierd reality. Maybe the lack of sleep the previous night contributed to this yet again "abnormal" event. I took a cab from Reading Railway Station to my accomodation hall. Ofcourse, this was no easy feat when I kept feeling wierd realities mixup with each other but I finally stumbled into some university representatives that pointed in me the correct direction and rid me of using my intellectual faculties at all.

The accomodation hall is quite wicked and I love it. The building is quite new, modern looking and beautifuly decoured. (Coolest of all, all access to building areas including my room are controlled by RFID cards). There are 7 other tenants in the flat block I am in. All of them British and none of them study any science. Oh yes, there are girls too and some(one?) quite yummmyyyy delicious too.... sigh.

It is the fresher's week now and lots of stuff happening. The enrolment stuff and faculty and course introductions going on as well as lots of fun social activities. While I am trying not to be anti-social, I don't think I'm making much progress in being sociable. My eyes are bloodshot from continuous wear of contact lens - part induced by the lack of spectacles and lens cleaning solution with me.

I'd post some pictures but I don't have the camera cable either. Oh well I guess I shall continue wearing the same clothes for a little more while too! All these thanks to Qatar Airways. These airline buggers have been crawling at the speed of snails. They are being really really careless and have not located my luggage still.

On a slightly more optimistic cheerful note, I am liking it here. I really am. I guess I'll have to wait for uni studies to start to make a solid comment though.

Toodles.