Email and Phone Number Verification Bypass Worth $$$

3 years ago 218

BOOK THIS SPACE FOR AD

ARTICLE AD

Hello guys! My name is Tuhin Bose (@tuhin1729). I am currently working as a Chief Technology Officer at Virtual Cyber Labs. In this write-up, I am going to share one of my findings which helped me to earn $$$.

So without wasting time, let’s start:

Basically the target was an email marketing website let’s call it redacted.com. I quickly tried to create an account there. While creating an account, I noticed that they verifies both email & phone number of the user using OTP. So I decided to try OTP bypass. I submitted the OTP and captured the request using burp. In both cases (email & phone number), the request looks like this:

tuhin1729

The OTP is associated with the requestId. When we forward the request, the server will verify whether the value of “response” is same for the corresponding “requestId” and if it matches then it’ll redirect to phone number verification. So if we copy the request body and drop the request then try using the body while generating an account using victim’s email address, we may get success.

I performed the following steps and BOOM! Email verification bypassed successfully! I was able to create an account using victim’s email address.

i. Try to create an account using attacker’s email address.

ii. Submit the OTP (which is received in attacker’s account), copy the request body and drop it.

iii. Now try to create an account using victim’s email address.

iv. Enter any random OTP and capture the request using Burp.

v. Replace the body of the request with that one which you copied in step ii.

vi. Forward the request.

Since the same mechanism is implemented while verifying the phone number, I was also able to bypass the phone number verification successfully.

By exploiting this vulnerability, an attacker can create an account using victim’s email address and phone number.

I quickly made a POC and send it to them. Within 24 hours they replied me: