.png)
4 years ago
235 BOOK THIS SPACE FOR AD
ARTICLE AD
Don’t mind my edit please !
As I said the impact is somehow nothing in the sign up scenario we’re just using someone’s phone number without his permission . in contrast in the account setting update scenario it’s critical . from a victim perspective just imagine someone breaking into your account then enabling the 2FA ! . or an attacker breaking into your account then each time you recover it he breaks into it again using the rest password functionality ! . in case of a csrf vuln in the phone number update process on a website that doesn’t validate the OTP this is a clear easy account takeover . Here’s the steps to reproduce this issue .account creation :
create an account and validate the email .complete the account information fieldset any phone number even used by another userthe link will look something like this https://www.duplicated.com/signup/phone-verificationupdate it to https://www.duplicated.com/dashboard and press entercheck the account information you’ll find the phone number there .updating the phone number :
go to account sitting and change the phone number to another one even if it’s used by another userdo the same and change the link as the previous processphone number updated . and validated !June 3rd — reported .
July 10th — first response with a duplicate status ( I thought they’re planning to respond in the next century )
The root cause of the vulnerability is that they’re not validating the OTP it self but relaying on some kind of client side validation that checks for where the user came from .
I’m not a fan for write ups but this was a must considering that I’m writing an article about abusing and protecting 2FA and OTP endpoints ( wait for it ) so this would be a great real world example for url path manipulation . Follow my activity on linkedin if you wish to so you can see my next write ups or articles https://www.linkedin.com/in/ben-aymen-2398651b0/
Written by
offensive cyber security enthusiast , part time bug bounty hunter on hackerone and external BBP’s . Here I’ll share my write-ups and researches .
Written by
offensive cyber security enthusiast , part time bug bounty hunter on hackerone and external BBP’s . Here I’ll share my write-ups and researches .
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade
Get the Medium app
![How to install Bug Bounty Hunting Tools on Linux and Windows by using Golang(Go)[ProjectDiscovery]](http://sec.ud64.com/site/assets/img/broken.gif)
Bengali (Bangladesh) · 
English (United States) ·