Forget password OTP flaw lead to Account Takeover.

Hope you all are doing great!

I am Abhishek pal here with my new blog ,In this blog I am going to give details about an easy P1 bug I encountered while hunting.

On July 8 2022, I found an Account Takeover vulnerability through response manipulation in a private bug bounty program. The company resolved the issue and reopened the program after two years. Last month, the program updated at 10:00 ITC, opening the same domain. I decided to revisit it, thinking maybe something new could be found. After some time, I reported a few IDOR and low-hanging vulnerabilities, but I thought, why not try bypassing the account takeover again? Maybe there’s still a glitch.

I created two accounts and started testing the application carefully. After two long hours of no success, I was almost ready to give up. But then — something caught my attention. I noticed that a token in the response was the same for all requests. That’s when my instincts kicked in.

I kept trying to manipulate the response, but the server kept rejecting my attempts. It was frustrating, but I didn’t want to quit just yet. In a moment of trial and error, I decided to send an OTP to both accounts and entered the correct OTP. Suddenly, things started making sense.

I realized there was a vulnerability that had been missed. With this breakthrough, I dug deeper and uncovered a major flaw in the system.

Attacker:

Go to the application and click on the reset password link. Enter the email address.

2. The application sends an OTP to the email. Copy the OTP, paste it into the input field, intercept the request in Burp Suite, and save the response. This response contains a token that is the same for all OTP validation requests.

Token which is same for all OTP validation

3.Drop the request from the “New Password” page.

Victim:

Enter the victim’s email in the “Forgot Password” field. An OTP is sent to their email.Victim Email addressEnter a random OTP and intercept the request. Paste the saved response here and forward the request. Even with a wrong OTP, you successfully bypass the OTP page, and the “New Password” page opens.Paste the OTP response

2. Change the password, and now you’ve taken over the account.

Wont believed that I find Account takeover again

I reported the issue again, and it was accepted. For confirmation, the customer even shared their email and asked me to try taking over their account. Following the same steps, I logged in within 2 minutes.

This journey took 3–4 hours of analysis and learning, and when I reported the issue, it felt like a “Wow!” moment.