- This is a vulnerability which I’ve found on one of hackerone’s private programs so I can’t mention the program name and considering that the vulnerability was closed as duplicated to a valid report so let’s use an alias ( duplicated.com ) .
Let’s Go :
- as the name is saying I’ve bypassed the phone number validation by manipulating the url path on two endpoints . The first one in the sign up process which wasn’t really critical ( but I don’t think that a user would like to use his number without his permission considering that the program was holding sensitive info’s such CC’s etc … ) , and the other one was in the endpoint where the user updates his account information .
- So in the first attempt I tried to bypass it using response manipulation but it didn’t work .
- then I noticed that the OTP validation page was redirecting me to the dashboard page . I tried to manipulate the url and change the path from duplicated.com/phone-validation to duplicated.com/dashboard and guess what I was redirected to the dashboard page and when I checked the user account settings I found the new phone number ( validated yeah damn validated ) without using the OTP .
Don’t mind my edit please !
So what’s the impact dude ? :
- As I said the impact is somehow nothing in the sign up scenario we’re just using someone’s phone number without his permission . in contrast in the account setting update scenario it’s critical . from a victim perspective just imagine someone breaking into your account then enabling the 2FA ! . or an attacker breaking into your account then each time you recover it he breaks into it again using the rest password functionality ! . in case of a csrf vuln in the phone number update process on a website that doesn’t validate the OTP this is a clear easy account takeover . Here’s the steps to reproduce this issue .
Steps To Reproduce:
account creation :
- create an account and validate the email .
- complete the account information field
- set any phone number even used by another user
- the link will look something like this https://www.duplicated.com/signup/phone-verification
- update it to https://www.duplicated.com/dashboard and press enter
- check the account information you’ll find the phone number there .
updating the phone number :
- go to account sitting and change the phone number to another one even if it’s used by another user
- do the same and change the link as the previous process
- phone number updated . and validated !
June 3rd — reported .
July 10th — first response with a duplicate status ( I thought they’re planning to respond in the next century )
The root cause of the vulnerability is that they’re not validating the OTP it self but relaying on some kind of client side validation that checks for where the user came from .
I’m not a fan for write ups but this was a must considering that I’m writing an article about abusing and protecting 2FA and OTP endpoints ( wait for it ) so this would be a great real world example for url path manipulation . Follow my activity on linkedin if you wish to so you can see my next write ups or articles https://www.linkedin.com/in/ben-aymen-2398651b0/