How I can take over any user’s account with their mobile number
Hi everyone! Hope you all are healthy and safe. This is my first write-up on one of the findings in a private program where I was able to completely take over any user’s account with their mobile number.
Before starting, guys please ignore if any grammatical mistakes.
Let assume the website to be
redacted.com. Like every other bug bounty hunter, I started understanding how the website was working. And started testing for XSS on all the input fields of the website. But I didn't expect that I can get XSS vulnerability so easily in the search field.
redacted.com, there is a user registration page to create an account. I entered all the required fields and click on the submit.
After clicking on the Submit button, it is redirecting to the page where we need to enter OTP which has been sent to the mobile number.
Here I tried to brute force a 6-digit OTP number using Burp intruder. But it didn’t work. So, I have checked the requests in burp history. In that POST request, one parameter caught my eye i.e.
I thought that maybe the OTP is being generated in response to this request. When I saw the response to this request, it generating OTP in base64 format.
When I decoded the base64 OTP code, I got the same OTP number that I received on my mobile. Now I entered the decoded base64 OTP number and intercepted the request in burp to check the response. Here it is matching the
"genreatedotp" for validation.
After forwarding the request, the account was successfully got registered.
What if the company is following the same process for the login page. So, I entered the registered mobile number and captured the request in the burp, and BOOMMMMMMMM!!!!!!! They are following the same process. Immediately I decoded the base64 code and entered OTP and submitted the request. I was successfully able to enter the account.
Using this, I can take over any user’s account using their mobile number.
Thanks for reading this !!.