Account Takeover via OTP Bruteforce (Apigee API)

Hi All

This is a short post on one of my findings in a Bugcrowd Private program, which could result in account takeover of any user by an attacker.

Vulnerability Type :

Product Area:

Attack Vector:

Impact:

Proof of Concept:

Here within some time, I was able to reset the password of an account by intercepting the request for OTP validation and bruteforcing the 6 digit number. Using this, it is possible to change and reset the password of any account, by changing the user data and brute-forcing the reset OTP.

Vulnerable request

Response

Brute forcing the OTP successfully allowed me to set new password for any E commerce user.

Disclosure Timeline:

4 Feb 2020 : Verified the fix

Related Reports : https://thehackernews.com/2016/03/hack-facebook-account.html

Security engineer | OSCP | ! Note: blog post‘s are doesn’t represent my employer by any meaning and was performed during my free time. |

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store