User Account takeover in India’s largest digital business company
Recently, I found this vulnerability in one of the India’s largest digital business organization. Although, this is not exactly aimed for bug bounty but what worries me more is that in this Internet dominated era, our data is exposed and is at heightened risk of getting abused.
While signing up as a new user, the OTP is sent to the mobile number registered with the account. Submit the OTP value from your mobile device and intercept the request. Edit the mobile number with an already registered number. You can login as another user in the application and perform action on his behalf. The response includes the user’s email address, name and contact number.
The OTP is not mapped with the user’s mobile number during sign up and is not validated at server end. It is always mandatory to implement server side validations. Client side controls should never be trusted.