#BugBounty — “I don’t need your current password to login into your account” - How could I completely takeover any user’s account in an online classified ads company.

Hi Guys,

User account compromise” ! Yes, you read right . This was an excellent vulnerability which I have found recently during my bug bounty hunting in India’s most popular online classified ads company.

“An OTP is more secure than a static password, especially a user-created password, which is typically weak” and we all agree to this but what if someone could bruteforce it and what if someone could bypass OTP authentication? That what makes it vulnerable and targeting the same , I carried out this critical piece of hunt. Let’s see into the details —

Forgot Password Page

While browsing through the website for some vulnerabilities , I went to the “Forget Password” functionality where it asked me to enter the registered mobile number .

OTP Verification Page

and as I entered the number , it sent me an OTP and after filing the right OTP in the form , it redirected me to “New password page” where I was allowed to set a new password for my account.

I firstly jumped into the most common and basic attack to bypass OTP — bruteforcing attack to see if there is any rate limiting or captcha being implemented but as I phrased it “most common and basic” , so it was not going to help me and captcha was also implemented there after 3 consecutive wrong attempts.

Let’s dive into this more. When I entered the wrong OTP, I got the following as the response —

Wrong OTP HTTP Response

Notice status parameter as “401” which means “ Unauthorized Error response” and that was obvious too as I entered the wrong OTP. Now to check whether it is just based on client side validation , I tried to bypass it . Captured the response , changed the “status” json parameter value to “200” and forwarded the response -

Changed HTTP Response

But some validation was there and it throws me the error message-

Invalid OTP Error Message

Might be the other parameters are causing the validation error so this time I removed all the json parameters and added the success parameter with the value to “true” so now the response json looks like —

Modified HTTP Response

and this time I was redirected to “Set Password Page” :D -

Forgot Password Page

I was able to set a new password for the user and using the changed password I was able to successfully login into the user’s account. This is how I could bypass OTP authentication and set a new password for the user and able to completely compromise his account using his mobile number.

Report details -

07-Jan-2018 — Bug Reported to the concerned company.

27-Jan-2018 — Bug was marked fixed.

03- Feb-2018 — Re-tested and confirmed the fix.

28-Feb-2018 — Rewarded by the company .

This was all about this interesting finding. ☺

Thanks!

~Logicbomb (https://twitter.com/logicbomb_1)