Bypass OTP validation on Password Reset

核心问题

  1. App 没有在 OTP 验证时 lock account, 导致可以 bruteforcing
  2. App 只在 client side 做验证.

Exploit

密码重置的流程:

  • 点击'Forget Password'
  • 输入 Mobile No.
  • 输入 OTP
  • 设置新的 password

测试1 - Brute Force OTP

检查服务器有否 lock account.

测试2 - 篡改 response

Response for Wrong OTP:

HTTP/1.1 200 OK
[REDACTED]

{"VerifyAndDeleteOTPApplicationResponse": {"error": [{"code": "INVALID_OTP"}, "MESSAGE": "OTP verification failed"]}, "status": 401}

Response for Correct OTP:

{"succcess": true, "status":200}

将 resp 从错误的 format 改为正确的 format, App呈现"输入新密码"的界面, 用户输入新密码即可修改密码.

Ref

#BugBounty — “I don’t need your current password to login into your account” - How could I…

Show Comments