Email and Phone Number Verification Bypass Worth $$$
2021-10-05 14:44:31 Author: infosecwriteups.com(查看原文) 阅读量:27 收藏

Tuhin Bose

Hello guys! My name is Tuhin Bose (@tuhin1729). I am currently working as a Chief Technology Officer at Virtual Cyber Labs. In this write-up, I am going to share one of my findings which helped me to earn $$$.

So without wasting time, let’s start:

Basically the target was an email marketing website let’s call it redacted.com. I quickly tried to create an account there. While creating an account, I noticed that they verifies both email & phone number of the user using OTP. So I decided to try OTP bypass. I submitted the OTP and captured the request using burp. In both cases (email & phone number), the request looks like this:

tuhin1729

The OTP is associated with the requestId. When we forward the request, the server will verify whether the value of “response” is same for the corresponding “requestId” and if it matches then it’ll redirect to phone number verification. So if we copy the request body and drop the request then try using the body while generating an account using victim’s email address, we may get success.

I performed the following steps and BOOM! Email verification bypassed successfully! I was able to create an account using victim’s email address.

i. Try to create an account using attacker’s email address.

ii. Submit the OTP (which is received in attacker’s account), copy the request body and drop it.

iii. Now try to create an account using victim’s email address.

iv. Enter any random OTP and capture the request using Burp.

v. Replace the body of the request with that one which you copied in step ii.

vi. Forward the request.

Since the same mechanism is implemented while verifying the phone number, I was also able to bypass the phone number verification successfully.

By exploiting this vulnerability, an attacker can create an account using victim’s email address and phone number.

I quickly made a POC and send it to them. Within 24 hours they replied me:

tuhin1729

Timeline:

04/05/21 — Reported Vulnerability

05/05/21 — Replied with the bounty email

Waiting for the bounty!!!

If you want to learn Bug Bounty Hunting, you can enroll in our course from here.

Follow me on Instagram: @tuhin1729

Thanks for reading. I hope you enjoyed this blog.


文章来源: https://infosecwriteups.com/email-and-phone-number-verification-bypass-worth-85dbaa794b28?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh