🔴 Race Conditions + IDOR Leads to Bypass Email Verification & Phone Verification

First, we need to understand the verification process on the website. When creating a new account, you need to verify your email and phone number. To verify your phone number, you need to confirm it through the link sent to your email, and from that link, you can enter the OTP.

To explain it clearly, let’s use the following scenario:

• Request 1 = Attacker
• Request 2 = Victim

I started by examining the website and attempting to find a bug in the verification process after multiple attempts. I managed to exploit a race condition vulnerability by leveraging the response time and obtaining the same OTP. Here’s how the vulnerability occurred:

To simulate the scenario by sending two requests simultaneously:

• To ensure simultaneous sending, I used different browsers
• each with a different session, “as the server processes one request at a time per session.”
• Now, I sent the two requests at the exact same time by creating a group in Burp Suite and sending them using “Send group in parallel (last-byte sync)”.

“Send group in parallel (last-byte sync)”.

• By exploiting the race condition, I was able to obtain the same OTP number for both the victim and the attacker, as shown in the image. I got the same OTP for two different numbers.

However, as we mentioned earlier, to complete the verification process, you need to verify the OTP through the link sent to the email. So, obtaining the OTP alone doesn’t serve any purpose.

After many attempts to bypass email verification, I noticed a parameter in the request body called “PKID”.

PKID Parameter

The interesting thing is that its value increases by one with each new account creation!

So, I created two accounts as part of the scenario: one as an attacker and the other as a victim, and I exploited the race condition to obtain the victim’s mobile OTP.

Now, all that’s left is to bypass the link sent to the email. I did this by accessing the link in the email (as the attacker) and modifying the “PKID” parameter value to be one digit higher or lower, such as changing it from 5 to either 4 or 6. I also set the OTP parameter value to the same OTP that was received on the attacker’s and victim’s numbers, making them match.

By doing this, I was able to bypass the email verification and phone verification.

• In conclusion, I hope my explanation was clear. If you found it helpful, don’t forget to like and follow me in X\Twitte and share your feedback.

Thank you for reading!