How I bypassed the OTP verification process? Part — 1

Aditya Anand
Jul 1, 2018 · 3 min read

It’s been so long since I posted any article, partially because I was tired and taking a pleasant summer break. I was reading this particular article

How I could have booked movie tickets through other user accounts by Bharathvaj Ganesan

After reading this I realised that I have had always tried different ways to try and bypass the login credentials but never those which had OTP verification process. So this article gave a me this feel that online profiles which have inbuilt OTP verification process is not super secure as well and from there onward I tried to carry out some attack on a website that uses OTP verification process.

Let’s dig in!

I started my attack on this website let’s say example.com, here I carried out my attack in two phase.

  1. Can I create a profile using a mobile no. that I don’t own? ( Identity theft )
  2. Can I get access to the account of a person, if all I know is their username or mobile number? ( How I bypassed the OTP verification process? Part — 2 )

The first hack

So to understand how to create a profile and how the system of OTP works on that particular website I went ahead and created my account. While I was doing that I took notice as to how the website worked?. Once done then I carried it out again for the another number that I own but this time the whole Idea was to create the account without having to touch my phone in anyway in which the sim was inserted.

So, here is how I began doing the hack. I inserted all the details as it should be. Now as I was done with it, I received an OTP on my phone instantly to verify and complete the process of a creating the account.

Burp Suite on!

I was presented with this and had to put in the OTP that I had just received on my mobile. I turned intercept mode on, and captured the packet which was being sent over as a request packet to the server.

Image for post
Image for post
The request packet I captured

I already knew the OTP is a 6 digit number, as I received so when I made my first account.

So, I passed over the packet to the intruder tab to carry out a brute force attack and see if the website allowed multiple attempts for the OTP. Now, to figure it out I carried out a brute force attack, for the first attempt I saw the OTP that I got and made a long list of nearly 150 number and included it at the very end to just know if the process will work out or not.

Image for post
Image for post
Brute force attack

I guess I was in luck when the brute attack worked. Burp Suite was able to detect which one was the correct OTP.

Moral

This is one of the biggest mistakes that i have encountered in my time while carrying out pen-testing, where we never check the number of times the OTP is entered, or the number of times passwords are entered etc.

Prevention method for such brute force attacks could be a check that disallows any attempt made more than 3–5 times, or the OTP should not be valid further after 5 wrong attempts or so. This kind of security technique can be implemented and it will help curb a huge number of security issues.

If you enjoyed it please do clap & let’s collaborate. Get, Set, Hack!

Website : aditya12anand.com | Donate : paypal.me/aditya12anand

Telegram : https://t.me/aditya12anand

Twitter : twitter.com/aditya12anand

LinkedIn : linkedin.com/in/aditya12anand/

E-mail : aditya12anand@protonmail.com

P.S. The attack where I was able to login into any user account will be discussed in another article, How I bypassed the OTP verification process? Part — 2.

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Aditya Anand

Written by

CyberSec Professional | Hacker | Developer | Open Source Lover | Website - aditya12anand.com | Donate - paypal.me/aditya12anand

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Aditya Anand

Written by

CyberSec Professional | Hacker | Developer | Open Source Lover | Website - aditya12anand.com | Donate - paypal.me/aditya12anand

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store