#BugBounty — “I don’t need your current password to login into your account” - How could I completely takeover any user’s account in an online classified ads company.

Hi Guys,

User account compromise” ! Yes, you read right . This was an excellent vulnerability which I have found recently during my bug bounty hunting in India’s most popular online classified ads company.

“An OTP is more secure than a static password, especially a user-created password, which is typically weak” and we all agree to this but what if someone could bruteforce it and what if someone could bypass OTP authentication? That what makes it vulnerable and targeting the same , I carried out this critical piece of hunt. Let’s see into the details —

Image for post
Image for post
Forgot Password Page

While browsing through the website for some vulnerabilities , I went to the “Forget Password” functionality where it asked me to enter the registered mobile number .

OTP Verification Page

and as I entered the number , it sent me an OTP and after filing the right OTP in the form , it redirected me to “New password page” where I was allowed to set a new password for my account.

I firstly jumped into the most common and basic attack to bypass OTP — bruteforcing attack to see if there is any rate limiting or captcha being implemented but as I phrased it “most common and basic” , so it was not going to help me and captcha was also implemented there after 3 consecutive wrong attempts.

Let’s dive into this more. When I entered the wrong OTP, I got the following as the response —

Image for post
Image for post
Wrong OTP HTTP Response

Notice status parameter as “401” which means “ Unauthorized Error response” and that was obvious too as I entered the wrong OTP. Now to check whether it is just based on client side validation , I tried to bypass it . Captured the response , changed the “status” json parameter value to “200” and forwarded the response -

Image for post
Image for post
Changed HTTP Response

But some validation was there and it throws me the error message-

Image for post
Image for post
Invalid OTP Error Message

Might be the other parameters are causing the validation error so this time I removed all the json parameters and added the success parameter with the value to “true” so now the response json looks like —

Image for post
Image for post
Modified HTTP Response

and this time I was redirected to “Set Password Page” :D -

Image for post
Image for post
Forgot Password Page

I was able to set a new password for the user and using the changed password I was able to successfully login into the user’s account. This is how I could bypass OTP authentication and set a new password for the user and able to completely compromise his account using his mobile number.

Report details -

07-Jan-2018 — Bug Reported to the concerned company.

27-Jan-2018 — Bug was marked fixed.

03- Feb-2018 — Re-tested and confirmed the fix.

28-Feb-2018 — Rewarded by the company .

This was all about this interesting finding. ☺

Thanks!

~Logicbomb (https://twitter.com/logicbomb_1)

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Avinash Jain (@logicbomb_1)

Written by

Lead Infrastructure Security Engineer@Grofers | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes | Acknowledged by Google, NASA, Yahoo, UN etc

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Avinash Jain (@logicbomb_1)

Written by

Lead Infrastructure Security Engineer@Grofers | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes | Acknowledged by Google, NASA, Yahoo, UN etc

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store