.png)
5 hours ago
5 BOOK THIS SPACE FOR AD
ARTICLE ADAn encryption algorithm that passes security tests and seems flawless… But once it goes live, imagine accounts being taken over without a single click. So, how did I make this possible?
1) We have a demo environment alongside the target application. Let’s call our target application “redacted.com” and the demo application “demo.com”. The demo environment could also be a subdomain of the live environment, such as “demo.redacted.com”.
2) The demo and live environments have the same UI. While doing some security tests in the demo environment (demo.com), I noticed that all OTP requests sent for before registration had the value “1234”. At first, it seemed like an easy OTP bypass.
3) Then, when I entered “1234” to register to the demo with random phone number, my account was created with this HTTP response below. When I examined the HTTP response, the first thing that came to mind was changing the ID value to see if I could get a different response, but I was unsuccessful at that point. Then, I thought that the access_token value might also be valid in the live environment. I switched to the live environment (redacted.com) and made the same request, replacing this response with the OTP validation result from the live environment.
4) Bingo! I had indeed bypassed the OTP validation, but wait! The account the application redirected me to wasn’t mine. I was in another user’s account because the access_code generated was directly based on the ID value. This meant that the access_code generated for user ID 237 in the demo environment was exactly the same as the one generated for user ID 237 in the live environment. Yes, I was in the account of user ID 237. I was able to access all information of users such as their personal information, phone number, address information, identification information, payment details, subscription details.
As a result, the ID values of the accounts I created in the demo were increasing one by one. I saw the value 238 for the next account I created in the demo and was able to take over the account of the 238th user using access_code value. With a simple script, I could take over the accounts of all the users in the live environment, starting from 237, one by one. To do this, all I had to do was enter 1234 in the OTP code response in the demo environment.
Note: All sensitive content belonging to the company has been CENSORED and NO internal company information has been shared in any screenshots.
Status: FIXED✅
![OTP Bypass on [Redacted]: Contact Forms to Unauthorized Calls](https://miro.medium.com/v2/resize:fit:547/1*8IL2jXIbRemLJln3M9GsQw.png)
Bengali (Bangladesh) · 
English (United States) ·