Easy Way For Bounty , OTP Bypass !!!
Hello amazing Hunter.
Today I want Talk about one of my Report that i can’t Believe after a long time other Hunters dose not report it as soon as possible.
First of all my name is Arman and this is my first post and i hope be Helpful for you. Let’s go …
I choose a program in small platform which the last 10 reports was Duplicated But the site has a lot of functions that means ….Challenge accepted…..😎
So around 3 ~ 4 Days i found an IDOR and something else but unfortunately all of them was Duplicate :) okey , I am fine…
Let’s talk about how website work in registering. that was really close other flow , when user enter email and password for authentication an OTP code send to email and after enter code , We successfully login in to the account.
I spend some hours to analyze all the requests after a long time i notice that there is nothing to verify my email 😁 . Let me explain more exactly what i mean.
Usually if we capture the request for verify OTP code, we have some parameters in body or Cookie 🍪 to show this OTP code is for which user
but in this senior we have nothing in requests for verify that OTP is for my email. it means that ….
Step By Step:
- Register with email@example.com and get OTP 123 but don’t enter OTP. ( browser 1)
- In other browser registers with firstname.lastname@example.org and OTP 456 but don’t enter OTP Again. ( browser 2)
- Enter 123 OTP for email@example.com and 456 for firstname.lastname@example.org
- Browser 1 successfully login in to email@example.com and browsers 2 successfully login in to firstname.lastname@example.org
I immediately report the bug and it triaged next day😎
I Hope this write up was Helpful for you. Have Good Day