Let start ,it was accidental incident of HotStar OTP bypass in India’s No 1 Live streaming Platform 😂.After my working hours, Me and friends were watching Indian Premier League which led to finding of OTP Bypass. Hunt comes between Fun time also(@ ValueMentor).
As usually we are watching IPL after work hours.While login to hotstar i have activated 2FA on my account.
Below image show’s hotstar login page there are two option’s as you know.login with mobile number or email id and there is a option for VIP customer user will get OTP to registered mobile number if they have activated 2FA authentication.
For Non VIP customers one step authentication, either using OTP or email and password they can login in their hotstar account.
As you can see below i used my email id activated with 2FA as i’m VIP customer.
After entering email id while continuing normally it will show field to enter OTP as shown below
This is the normal working process for the VIP Members who has activated 2FA .
Now lets try for a normal user.This my other account which doesn’t have VIP membership.
In this case while continuing it will ask for enter the password to login to your account for non membership users.you can see below
so it asked for password as you can see there email id now its also as editable they doesn’t making it non editable.
Just changed Email ID to VIP Membership Email ID and Entered The Password
and I’m logged in to the account without OTP
When a user tries to login with email, that field is editable and he can easily change that to a VIP customer email and can login .
Even VIP user lost his user name or password via social engineering according to his security there will be OTP he is thinking off. According to hotstar if user need to change password they need to use forgot password option to change or update password.
As we all know social engineering is popular attack for grabbing credentials.
just used same method to make some impact on this and reported hotstar.
After 1 month
And asking for long time to disclose this vulnerability .The response was like this.
Even i didn’t ask for any bounty response was not such decent appreciation from their side what i feel. Finally i sent last mail to them for disclosing it
still no response so i decided to publicly disclose the vulnerability
PoC . due to security issue i have blur the details.
scenario 1:there is email and password of grabbed account in notepad
scenario 2:while requesting it will ask for OTP (aim to bypass OTP authentication)
scenario 3:using normal account login it will ask for password
scenario 4:Changing email to VIP member email and entering password
OTP bypassed !!!!
Thanks For Reading.