Phone number validation bypass through url path manipulation .

This is a vulnerability which I’ve found on one of hackerone’s private programs so I can’t mention the program name and considering that the vulnerability was closed as duplicated to a valid report so let’s use an alias ( duplicated.com ) .as the name is saying I’ve bypassed the phone number validation by manipulating the url path on two endpoints . The first one in the sign up process which wasn’t really critical ( but I don’t think that a user would like to use his number without his permission considering that the program was holding sensitive info’s such CC’s etc … ) , and the other one was in the endpoint where the user updates his account information .So in the first attempt I tried to bypass it using response manipulation but it didn’t work .then I noticed that the OTP validation page was redirecting me to the dashboard page . I tried to manipulate the url and change the path from duplicated.com/phone-validation to duplicated.com/dashboard and guess what I was redirected to the dashboard page and when I checked the user account settings I found the new phone number ( validated yeah damn validated ) without using the OTP .

Don’t mind my edit please !

As I said the impact is somehow nothing in the sign up scenario we’re just using someone’s phone number without his permission . in contrast in the account setting update scenario it’s critical . from a victim perspective just imagine someone breaking into your account then enabling the 2FA ! . or an attacker breaking into your account then each time you recover it he breaks into it again using the rest password functionality ! . in case of a csrf vuln in the phone number update process on a website that doesn’t validate the OTP this is a clear easy account takeover . Here’s the steps to reproduce this issue .

account creation :

create an account and validate the email .complete the account information fieldset any phone number even used by another userthe link will look something like this https://www.duplicated.com/signup/phone-verificationupdate it to https://www.duplicated.com/dashboard and press entercheck the account information you’ll find the phone number there .

updating the phone number :

go to account sitting and change the phone number to another one even if it’s used by another userdo the same and change the link as the previous processphone number updated . and validated !