Easy Way For Bounty , OTP Bypass !!!

M7arm4n
2 min readDec 4, 2021

Hello amazing Hunter.

Today I want Talk about one of my Report that i can’t Believe after a long time other Hunters dose not report it as soon as possible.

First of all my name is Arman and this is my first post and i hope be Helpful for you. Let’s go …

I choose a program in small platform which the last 10 reports was Duplicated But the site has a lot of functions that means ….Challenge accepted…..😎

So around 3 ~ 4 Days i found an IDOR and something else but unfortunately all of them was Duplicate :) okey , I am fine…

Let’s talk about how website work in registering. that was really close other flow , when user enter email and password for authentication an OTP code send to email and after enter code , We successfully login in to the account.

I spend some hours to analyze all the requests after a long time i notice that there is nothing to verify my email 😁 . Let me explain more exactly what i mean.

Usually if we capture the request for verify OTP code, we have some parameters in body or Cookie 🍪 to show this OTP code is for which user

Example :

email=evil@angel.com&otp=12345

but in this senior we have nothing in requests for verify that OTP is for my email. it means that ….

Step By Step:

  1. Register with abc@evil.com and get OTP 123 but don’t enter OTP. ( browser 1)
  2. In other browser registers with def@evil.com and OTP 456 but don’t enter OTP Again. ( browser 2)
  3. Enter 123 OTP for def@evil.com and 456 for abc@evil.com
  4. Browser 1 successfully login in to def@evil.com and browsers 2 successfully login in to abc@evil.com

I immediately report the bug and it triaged next day😎

I Hope this write up was Helpful for you. Have Good Day

YouTube

Instagram

Twitter

--

--