.png)
4 years ago
215 BOOK THIS SPACE FOR AD
ARTICLE AD
In this writeup I will explain how I was able to bypass one-time password by resetting password via email address.
I discovered this vulnerability in a private program, I will name it: target.com, Before we keep going on explaning we should consider that this vulnerability occurred due to a wrong application of the reset password method via API which lead to leakeage of user live token in the response.
While I was doing recon in this target, I realised that all functions without exception are directly related to one API, This target was an interface for it’s own API, So it made sense to start with a functions scaning for bugs, And while I was checking the account settings, I find OTP option by phone number, So I turned it ON and logged out.
I directly logged in and decided to check for rate limit bypassing and other bugs related to OTP, But unfortunately their was a rate limit implementation in the API itself and I wasn’t able to bypass it.
I checked also if I can bypass OTP by resetting my password via email address, But the app will ask me to sign in again with my new password and insert the 6 digit OTP code was sent via SMS, So I wasn’t able to bypass it this way.
So it was time to check for every request and it’s response, I turned my intercept ON and started by checking reset password button response, There was nothing interesting, I opened my account email and checked the reset password link, The token in the link was complex and I can’t bruteforcing it.
I opened the link and inserted my new password, I pressed change my password button and checked the response, I could confirmed that the reset password API method set a new live token for my account and leakage the token in the response, By this live token I was able to use all methods in the account via API without the need to sign in to the app interface.
But I chose to find a way to stop the OTP without signing in, And after checking account settings I was able to find the API request that stops OTP, So I enterd the request in the repeater, And I was able to stop OTP just via API live token and I logged in to the app interface.
I was able to bypass OTP by resetting password via email address, We should consider that I was able to use every method in the account via API live token that get leakaged in the reset password method response, But I prefered to find Away to stop the OTP, And I stopped it via disable OTP API request, And I was able to open my account without the need to insert OTP code.
Report (Jul 7th).
First response (Jul 7th).
Duplicate (Jul 7th).
Before you go, I find another bug in the same target, I was able to change my email address by any email without need to confirm it, So I changed my email with the app help email, My account email was like help@target.com, But I totaly forgot about reporting it, And I chose to confirm my bank account so I can find new endpoints, And I send the confirm bank account request to the company, They realised that I used there help email, They disable my account and fix the bug, So ladies and gentlemen, Don’t forget to report your bugs, First things first.
Bengali (Bangladesh) · 
English (United States) ·