[Bounty Weekend] Phone Verification Bypass With Business Logic Vulnerability

Background

The target application is an online banking platform that provides a range of financial services, including high-interest savings accounts, no-fee transactions, and easy money transfers. Users can manage their finances conveniently through a user-friendly interface, accessing features like bill payments, international money transfers, and financial insights. The platform aims to offer a seamless and efficient banking experience, with a focus on high returns and low costs for its users.

Discovery

During the registration process, the application requires both email and phone number verification, utilizing OTP (One Time Password) for this purpose. The sequence involves first validating the email address, followed by the phone number.

Analysis

While analyzing the registration flow, I intercepted the request responsible for sending the OTP to the email address. The request payload was as follows:

Upon following the flow, after validating the email address, the next step was phone number verification. However, when I triggered the API to resend the OTP to the email address, it sent the OTP again, even though the email verification was already complete.

Exploitation

After discovering that the OTP was sent to the email address despite the completion of the email verification step, I experimented by using the OTP received via email for the phone number verification step. Surprisingly, the OTP was accepted, thereby bypassing the phone number verification process.

This indicated a security flaw where the OTP for email could be used to validate phone number verification, compromising the integrity of the registration process.

Report

The CVSS scoring were using Hackerone 3.0 CVSS

Alhamdulillah, you’ve reach the end. Hopefully you learn something from here and thanks for your support !

I’m sorry if it’s lack of screenshots because it’s a report from 2022 and i don’t really document it well back then :(