.png)
3 years ago
379 BOOK THIS SPACE FOR AD
ARTICLE ADHello people, this is Kartik, and the following is a real-world example of how a flawed OTP authentication process can lead to account takeovers.
Login mechanism:
Login mechanism is pretty straightforward, user enters his phone number, an OTP is generated and sent to the user. User enters this OTP and gets logged in into the web application.
A detailed-look of the login mechanism:
Let’s check the login process in burp.
A POST request is sent to `/v1/auth/otp/generate` endpoint containing the contact number. A “sessionId” is generated by the server and sent back.
2. When the OTP is entered, a POST request is sent to /v1/auth/otp endpoint containing the sessionId generated in the previous step, the contact number and the otp. If the otp is correct, the server responds with the accessToken and refreshToken for that account.
The flaw:
On the second step what happens, if you enter some other person’s(the victim’s) phone number?
Ans: You get access! :)
Takeaways:
Do not only look for bugs on programs listed on hackerone, bugcrowd, etc. Try real world targets and you might discover low hanging fruit.
This company is valued at $730 million.
For mamaearth:- please take it seriously when somebody contacts you with a security bug. I sincerely hope that you’ll now take the bug seriously and fix it.
Thank you.
Bengali (Bangladesh) · 
English (United States) ·