How I Discovered a Sneaky Account Takeover Vulnerability

Greetings, cybersecurity enthusiasts! In this blog, we’ll walk through the intricate process that allows attackers to bypass access controls, manipulate OTP validation, and ultimately take control of unsuspecting users’ accounts.

So, you know when you forget your password and need to reset it? Well, I found a way where someone could mess with that process and take over someone else’s account. Here’s how it happened:

Step 1: Users initiate the password reset by entering their PAN number and requesting an OTP.

Step 2: The system validates the PAN, and upon success, sends an OTP to the user’s registered mobile number.

Step 3: Users input the received OTP to confirm their identity

Step 4: Successful OTP validation grants users the ability to change their passwords.

Step 5: After successfully changing the password, the user is prompted to log in again.

Step 6: By providing their PAN number, the system generates a new OTP and initiates the process of changing the password.

A closer inspection of the HTTP request reveals two parameters: PAN and user UserID. Surprisingly, both parameters contain the PAN number provided during the initial password reset.

similarly I tried to replace the PAN and user ID with those of another user. The system fails to recognize the mismatch, allowing the attacker to bypass OTP validation and change the password of the target user.

With the password successfully changed, I was able to gains control over the target user’s account, Now I log in using the new password of the another user, effectively taking over the account without the legitimate user’s knowledge

Breaking down the complexities of Broken Authentication, we’ve witnessed how seemingly benign processes, like password reset functionalities, can become potential gateways for malicious actors to compromise user accounts. The journey from a legitimate password reset request to a successful account takeover highlights the critical importance of robust authentication mechanisms in safeguarding our digital identities.