Hello guys, I am Kanhaiya Kumar Singh and this is my first write-up about my finding on OTP Bypass.

Description Of Vulnerability :

First of all let’s assume Website is example.com and this is the Simplest Bug (Vulnerability) that i found. When i created an account in example.com i received one OTP in my email id for verifying email. When i entered the correct OTP and checking the Response to this Request. Response code is very simple HTTP/1.1 200 Created and {} then i think let’s bypass OTP Verification.

Steps To Reproduce :

  1. Create an account using abc123@gmail.com.
  2. One OTP Sent into abc123@gmail.com email id.
  3. Paste that correct OTP and Capture the Request into Burp. Now right click on the Request and click on Do Intercept >Response To This Request .

4. This is the response code.

5. Now again create one account victim123@gmail.com.

6. Again one OTP sent into victim123@gmail.com email id.

7. But i don’t have any access to Victim email account. Let’s Bypass OTP Verification.

8. Enter any wrong OTP and capture the request into Burp. Now right click on the Request and click on Do Intercept >Response To This Request.

9. See the response there is an error message HTTP/1.1 400 Bad Request and {“error”: “user_not_verified”}

10. Now replace that error message with this HTTP/1.1 200 Created and {}

11. Boom Account Verified Successfully.

Timeline:
Bug Reported:
5 February 2020
Bug Triaged: 6 February 2020
Bounty Rewarded: € xxx

I hope you enjoyed this reading.

Thank You!
~Kanhaiya Kumar Singh
(https://twitter.com/rat760)

Follow me on Twitter

Noob Security Researcher & Bug Bounty Hunter Who is Excited About Future

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store