Password Bypass and Something Else…

Vibhurushi Chotaliya
Mar 16 · 2 min read

Hello guys

This is Vibhurushi Chotaliya. I hope you doing well…

This post is about i was able to bypass password protection when add some bank details and something else.

POC:

  1. After login when i add bank details xyz.com it ask me account password.
  2. So i enter the correct password,catch the request in burp.i got response like {“status”:”success”,”data”:{“message”:”Authentication successful.”}}
  3. Now i’m able to change my bank details.
  4. Again i’m re-login in my account, this time i enter wrong password and catch the request in burp.i got response like {“status”:”error”,”data”:”Incorrect password. Please try again."}.
  5. Now you are thinking i was change the response and bypass it…yes you are right.
  6. Again i enter wrong password,catch the request in burp,again i got response like {“status”:”error”,”data”:”Incorrect password. Please try again.”}. then i replaced with this response{“status”:”success”,”data”:{“message”:”Authentication successful.”}} and i bypass the password protection.

Password Bypass Done.Now Some Thing Else.

  1. I reported this issue 06 Feb 2018 to that bug bounty plateform(sorry i can’t disclose the name).
  2. That plateform closed(sorry for not disclosing the status of report) my report.because they don’t think about the risk of xys Pvt. Ltd.i tried a lot to convinced them about the impact of this issue, but i was fail.
  3. Few days ago i was just check my all reports. i see my Password bypass report i just open it and back again then i close my browser and shutdown the laptop.
  4. After 2 minute,i got the idea and i thought that what happen if i report directly to the xyz Pvt. Ltd. I open my laptop,again i report the issue to xyz Pvt. Ltd. via support address. i report this issue on date 10 March 2019
  5. On day 11 March 2019 they reply me back and say we are looking into the matter.
  6. At morning of 12 March 2019 i got mail from that Bug Bounty Plate Form and saw closed change to accepted and they reward me 600$. OMG I was totally shocked.my report was accepted after One year +One Month.

Guys i wanted to tell you is that if you really think your report has a significant impact then still they closed(without Resolve)your report. Contact directly to that private organisation. definitely you will get answer.

Vibhurushi Chotaliya

Written by

Bug Hunter/Security Researcher