How I was able to do Mass Account Takeover[Bug Bounty]

This was one of the interesting bug that i found on a target.

The vulnerability lied in the website’s password reset page.
In order to reset the password an user required two things.(his username and his email)
It was a OTP based password reset mechanism.

There were 3 steps to it.
1.Enter your username and email address
2.Enter the OTP you received
3.Enter the New password

At first i tried to perform response manipulation in Step 2.I entered victims username and password,entered 123456 as the OTP and changed the response from {“success”:”false”} to {“success”:”true”}

The website redirected me to step 3 and i was allowed to enter a new password for victims account.

I entered a new password and pressed Enter.And Guess what???It gave an error message saying ”OTP invalid”.

The website was validating the OTP at the 3rd step also :(

I wanted to see what would happen if i entered a valid OTP of attacker.
So in entered it and the password was successfully reset.

Excited with it,i rushed to login with victims email and the new password,but i was not able to login.WHYYY ???Turns out,since i entered attackers otp attackers password got reset instead of victim’s.I was like “WHATTT”.

The request was like this:
{“username”:”victim123" “email”:”victimemail@gmail.com”,”newpass”:”Pass@443",”mfa”:”432521"}

Eventhough the request body had email and username parameter it was totally useless.So i re-sent the request and it still worked.

So it means there was another bug also.
The OTP was not getting invalidated until a new OTP is requested.Which means i can re-use the same OTP again and again if I donot request a new one

Now,comes the interesting part,Since i realized that an attacker will now not need victims username and email,he can enter his own username and password.All he need to do is enter victims OTP in the 3rd step.

How will attacker get victim’s OTP?
There was no Rate-limit implemented which means he can easily bruteforce it and he will be able to change the password of every-user whose OTP got entered during the bruteforcing process.

Downsides:
-The OTP was expiring in 1 hour.Which means an attacker will only be able to change the password of the victim’s who have requested any OTP during this 1 hour period.
But,He can still change victims password if he has their username and email by requesting a new OTP and bruteforcing it.

Follow me on:
https://twitter.com/RickyyNot