Open in app

Sign in

Write

Sign in

OTP Bypass Leads to Account Takeover!

Jayesh Sharma
3 min readDec 15, 2020

Hey Guys,

It’s Jayesh Sharma here. I am new to Bug Bounties and it’s my first write-up so forgive my mistakes, if any. :P

So while hunting i got a website which have “User account takeover! ” Security compromised. Yes you read right, This was an grave vulnerability which i have found recently during my bug bounty hunting in India’s Financial Platform.

An “OTP” is more secure then a static password, especially a user-created password, which is typically weak. In this particular website, login method was via OTP only but in LOGIN/SIGNUP their was no static password functionality, there was only OTP. This was quite strange to see!

What is someone could brute force it and bypass OTP authentication? That what makes it vulnerable and targeting the same, I carried out this critical piece of hunt. Let’s Start!

Login Page

While browsing through the website for some other vulnerabilities, i went to “Login page” where it asked me to enter mobile number and as i entered the number, it send me an OTP and after filing the right OTP in the form, it redirected me to “Welcome home! (Dashboard page)”

I firstly jumped into the most common and basic attack to bypass OTP-brute forcing attack to see if there is any rate limit or captcha being implemented but as i phrased it “most common and basic”, so it was not consecutive wrong attempts.

Let’s dive into this more. When i entered the wrong OTP, i got the following as the response

Wrong OTP HTTP Response

So i decide to watch the response that i get if i enter correct OTP

  • I enter the correct OTP and make a request
  • Then i do intercept the response request

And got the correct response given Below~

Correct OTP Response

So i just copied the correct OTP response!

  • Enter my Friend number with wrong OTP and make a request after make request and do intercept the request. (i just replace my friend number in the place of my number in response).
  • And manipulate the response with Invalid OTP to correct OTP response and forwarded.

**BOOM** I redirected to the “create company profile.”

I was able to get into any user profile and able to create new company. This is how i could bypass OTP authentication which also leads to account take over for the user and able to completely compromise his detail with just mobile number.

Report details -

27-Jul-2020 — Bug Reported to the concerned company.

30-Jul-2020 — Bug was marked fixed.

30- Jul-2020— Re-tested and confirmed the fix.

01-Aug-2020 — Rewarded by the company .

YAYYYYYYYYY!!!!!!!!

This was all about this interesting finding. ☺

Thank you reading :)

Nimish Jain, Thanks for helping me out!:)

My Twitter :- https://twitter.com/blaa1999

Bug Bounty
Recon
Bug Bounty Tips
Bug Bounty Writeup

--

--

Jayesh Sharma

Written by Jayesh Sharma

39 Followers

security researcher | CEH | Bug hunter

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams