How improper OTP implementation could lead to Account Take Over (Part 3)

Another invalid OTP application is established during password reset flow. OTP is involved to the way user to visit the reset password page but rather it can be bypassed easily on redacted.com system. The most harmful impact of this password reset is the username can be anybody’s registered email. In other words, you may act as other people to reset their credential with your own.

1. Input email which password was forgotten

Forgot password pageForgot pasword API to send OTP to the emailOTP was sent through email

2. Input the OTP

OTP input pageOTP verification API

3. After OTP is well verified, password reset page will be shown

New password inputPassword reset API

It can be seen from password reset API above, there is no input parameter which relates to the identified OTP at step 1 and 2. This can conclude actually step 1 and 2 is not required to perform password changes. You may modify password directly through the API with just any known registered email (yap it maybe other registered email).

https://cdn.quotesgram.com/img/39/46/1425804226-1420079.jpgLet’s create another account which account would be taken over, e.g 1@gmail.com and alter the credential become ‘newtrialpassword’.Bingo !!! By not having direct access to 1@gmail.com inbox, it’s still success to modify the credential

2. Let’s prove new credential really works during login process

Login form using emailLogin form for the passwordLogin is successfulLogin API response success for new credential

According to observation, following points at redacted.com which do not follow the rule of thumb:

OTP is not included in body parameter request during password resetEmail input parameter during password reset is not tied with specified OTP at previous step (this step lead account take over)

Another case would be discussed at another article. Please kindly comment for anything you point out for wrong OTP implementation