BBM for iOS app susceptible to proxy-based line-skipping

After a failed attempt last month at rolling out BlackBerry Messenger (BBM) for iOS and Android, BlackBerry is giving the rollout another try. However, anybody who did not sign up previously is stuck waiting for their turn as BlackBerry slowly rolls out BBM to new users... unless you know how to skip the line.

Somewhat surprisingly, it only took iMore a few minutes to find a way to bypass the BBM queue by proxying a device's traffic. After launching the app, BBM will ask you to enter your email address. The app then checks with BlackBerry's servers to see if you're supposed to have access yet. If not, the app will tell you to come back when you've received an email telling you that you've reached the front of the line. There's a button in the app that says "I got the email" which, when tapped, will check with BBM's servers again to see if it's supposed to let you in. Rather than waiting for the email, you can just change the server's response.

Using a proxy like Charles, you can proxy your device's traffic, monitor requests made by BBM, and alter the response returned by the server. In this case, the app makes a request to which contains a few pieces of data, including your email address. A response for a user who does not yet have access will look something like this:

    "message": "", 
    "result": {
        "count": [some value], 
        "email": [some email address]
    "status": "success"

The interesting part here is "count". Can you guess what the value of count is for a user who is supposed to have access? If you guess correctly, you win the ability to use the BBM iOS app. If you modify the server's response to have that count value, BBM will let you move on to the account creation screen.

Some of you may be wondering "who would want to go to this trouble to use BlackBerry Messenger?" I honestly don't know, but there you have it. CNET actually published a much easier trick, but users seem to be having mixed luck with it and iMore was not able to reproduce their findings for iOS.

iMore reported the issue to BlackBerry earlier today, and we anticipate a fix in the near future. One solution would be for BlackBerry to add a server-side check to the account creation process, so that when a user submits their new account information, BlackBerry's servers would check on their side to see if you're supposed to have access yet. If you were not supposed to, the account creation would fail on BlackBerry's servers and an error returned to the app. This is how Mailbox patched a very similar vulnerability in their queueing system earlier this year.

Until then, technically savvy users desperate to get on BBM have a way to skip the line.