OTP Bruteforce- Account Takeover

This is my first 4 digit bounty in $$$$ and was really excited when I discovered a simple yet critical vulnerability in one of the private programme.

This attack is very similar to https://thehackernews.com/2016/03/hack-facebook-account.html only difference is that the attack was on the login functionality itself .

Login mechanism: Enter the mobile no , user receives an otp . Enter the otp and login into the webapplication.

Flaw was that rate limiting was not on place and thus gave an attacker endless opportunities to brute force a 6-digit code and login into any account.

Response for Valid OTP

Response for Invalid Otp

So , now we had two different responses for a valid and an invalid otp that were processed during the authentication process.

I curiously validated in intruder if rate limiting was present or not and if it can be bypassed — just following the bug hunting strategy (doubt on everything that is in front of you).

And NO RATE LIMITING even after 50 wrong attempts :)

I could have exploited it in intruder , but because most of the programme handlers are not expert in information security and may/may not have idea of BurpSuite/Intruder — I decided to write up an exploit (which I always love to present things to give the enduser a fair idea on the other side that how in real world it can be exploited)

Exploit Code(This was something similar-with few omitted part)

Fire up the exploit and bruteforce OTP.

Note: Images are just for demo purpose and very much identical to the actual one , I can’t share the original poc exploit or screenshots.

And voilla, after certain hundred iterations we were able to login into the app. I have hidden the cookie part from exploit code which actually was finally replaced in browser using cookie editor EditThisCookie — https://github.com/ETCExtensions/Edit-This-Cookie and account takeover was completed.

I quickly created the POC , sent it and was triaged within hours and fixed in a day!

This was my highest bounty and has boosted my morale to explore this beautiful world of bug hunting.

I break things :)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store