How I Bypassed HotStar OTP Verification.

Hello Friends,

Let start ,it was accidental incident of HotStar OTP bypass in India’s No 1 Live streaming Platform 😂.After my working hours, Me and friends were watching Indian Premier League which led to finding of OTP Bypass. Hunt comes between Fun time also(@ ValueMentor).

As usually we are watching IPL after work hours.While login to hotstar i have activated 2FA on my account.

Below image show’s hotstar login page there are two option’s as you know.login with mobile number or email id and there is a option for VIP customer user will get OTP to registered mobile number if they have activated 2FA authentication.

Login page of Hotstar

For Non VIP customers one step authentication, either using OTP or email and password they can login in their hotstar account.

As you can see below i used my email id activated with 2FA as i’m VIP customer.

After entering email id while continuing normally it will show field to enter OTP as shown below

While Requesting For OTP

This is the normal working process for the VIP Members who has activated 2FA .

Now lets try for a normal user.This my other account which doesn’t have VIP membership.

Normal account Doesn’t have VIP Membership

In this case while continuing it will ask for enter the password to login to your account for non membership users.you can see below

so it asked for password as you can see there email id now its also as editable they doesn’t making it non editable.

Just changed Email ID to VIP Membership Email ID and Entered The Password

and I’m logged in to the account without OTP

Flow

When a user tries to login with email, that field is editable and he can easily change that to a VIP customer email and can login .

Even VIP user lost his user name or password via social engineering according to his security there will be OTP he is thinking off. According to hotstar if user need to change password they need to use forgot password option to change or update password.

As we all know social engineering is popular attack for grabbing credentials.

just used same method to make some impact on this and reported hotstar.

Quick Response From Team

After 1 month

And asking for long time to disclose this vulnerability .The response was like this.

Response from Hotstar Team

Even i didn’t ask for any bounty response was not such decent appreciation from their side what i feel. Finally i sent last mail to them for disclosing it

still no response so i decided to publicly disclose the vulnerability

Last mail from my side to disclose it.

PoC . due to security issue i have blur the details.

scenario 1:there is email and password of grabbed account in notepad

scenario 2:while requesting it will ask for OTP (aim to bypass OTP authentication)

scenario 3:using normal account login it will ask for password

scenario 4:Changing email to VIP member email and entering password

OTP bypassed !!!!

Thanks For Reading.

Amal Thamban