How i could hack into any OLX account !(Full Account Takeover without user interaction)
I wanted to sell my old laptop , installed the OLX app in my phone.Posted the ad and then thought about testing some of the newly gained knowledge about mobile app penetration testing , decided started with a dynamic analysis.
I launched the Swiss Knife of Hackers , Burp Suite ,Proxied my browser and started fiddling with the OLX registration and login page . Found no issues , moved to the mobile app.
I set up the certificate in my android device and launched the OLX app on my phone. Starting from the registration and login again , noticed that the verify OTP end point was missing any rate limit , since the OTP had only 4 digits the domain of the attack was from 0000 to 9999 meaning only 10,000 requests . I tested this with my mobile number but the same was valid for every account , you could randomly login into any account .
Double checked the bug and
- Sent a mail to the OLX support team on 26th June.
- Sent a complete report with video explanation on 6th July.
- Received acknowledgement and a thanks email from OLX.
- Within a few days the issue was fixed , now the number of attempts are limited.
Also i got a thank you call from their support team :) , and a mention in their Security Hall of Fame.
Here is the link to hackerone report , which now handles thier Bug Bounties.