Dec 4, 2021
Easy Way For Bounty , OTP Bypass !!!
Hello amazing Hunter.
Today I want Talk about one of my Report that i can’t Believe after a long time other Hunters dose not report it as soon as possible.
First of all my name is Arman and this is my first post and i hope be Helpful for you. Let’s go …
I choose a program in small platform which the last 10 reports was Duplicated But the site has a lot of functions that means ….Challenge accepted…..😎
So around 3 ~ 4 Days i found an IDOR and something else but unfortunately all of them was Duplicate :) okey , I am fine…
Let’s talk about how website work in registering. that was really close other flow , when user enter email and password for authentication an OTP code send to email and after enter code , We successfully login in to the account.
I spend some hours to analyze all the requests after a long time i notice that there is nothing to verify my email 😁 . Let me explain more exactly what i mean.
Usually if we capture the request for verify OTP code, we have some parameters in body or Cookie 🍪 to show this OTP code is for which user
Example :
email=evil@angel.com&otp=12345
but in this senior we have nothing in requests for verify that OTP is for my email. it means that ….
Step By Step:
- Register with abc@evil.com and get OTP 123 but don’t enter OTP. ( browser 1)
- In other browser registers with def@evil.com and OTP 456 but don’t enter OTP Again. ( browser 2)
- Enter 123 OTP for def@evil.com and 456 for abc@evil.com
- Browser 1 successfully login in to def@evil.com and browsers 2 successfully login in to abc@evil.com
I immediately report the bug and it triaged next day😎
I Hope this write up was Helpful for you. Have Good Day
