.png)
2 years ago
112 BOOK THIS SPACE FOR AD
ARTICLE ADGetting that first bug bounty is a special feeling for any bug hunter. This is my first write up so please bear with me.
So let’s get started. The target was a crypto exchange (say www.target.com). After you enter your user id and password, you get re-directed to 2FA verification page (Assuming 2FA is turned on). On this page, there was an option to disable 2FA in case you had lost access to your device.
In order to disable 2FA, a 4-digit OTP was being sent to user’s email id. The problem with application logic was that it would check every single value in the OTP parameter if you added multiple values to it. The values were to be added in the json format of the request, for example
OTP: [“1111”, “2222”, “3333”, “{correct OTP}”, “4444”, “5555”, “6666”]
The application would parse through all these values one by one, therefore if correct OTP value is present in your list, you will bypass OTP verification. As it is only a 4-digit OTP, a motivated hacker only needs to create a list of OTPs in json format from 0000 to 9999 and eventually they will be able to disable 2FA of any account.
Similar functionality was also found in multiple places of same application.
Bounty — 500USDT
Tip — Always try to add multiple values for OTP and password fields and see how the application behaves.
Thanks!
ba7man
Bengali (Bangladesh) · 
English (United States) ·