BOOK THIS SPACE FOR AD
ARTICLE ADAnother invalid OTP application is established during password reset flow. OTP is involved to the way user to visit the reset password page but rather it can be bypassed easily on redacted.com system. The most harmful impact of this password reset is the username can be anybody’s registered email. In other words, you may act as other people to reset their credential with your own.
1. Input email which password was forgotten
Forgot password page2. Input the OTP
OTP input page3. After OTP is well verified, password reset page will be shown
New password inputIt can be seen from password reset API above, there is no input parameter which relates to the identified OTP at step 1 and 2. This can conclude actually step 1 and 2 is not required to perform password changes. You may modify password directly through the API with just any known registered email (yap it maybe other registered email).
https://cdn.quotesgram.com/img/39/46/1425804226-1420079.jpgLet’s create another account which account would be taken over, e.g 1@gmail.com and alter the credential become ‘newtrialpassword’.2. Let’s prove new credential really works during login process
Login form using emailLogin form for the passwordLogin is successfulAccording to observation, following points at redacted.com which do not follow the rule of thumb:
OTP is not included in body parameter request during password resetEmail input parameter during password reset is not tied with specified OTP at previous step (this step lead account take over)Another case would be discussed at another article. Please kindly comment for anything you point out for wrong OTP implementation