Yes I can see your OTP

As the title says, YESS I can see your OTP of blah blah blah .com (Dropping the hint in the above image) and can create a legitimate account with your phone number and even I can order ton of products impersonating you. The secondary domain is vulnerable to OTP leak and the website is full functional.

Vulnerability: OTP misconfiguration or verification bypass
Severity: Critical
Owasp rank: (OTG-AUTHN-004)

Was going through a sign up form and looking for XSS but no luck and in phone number it was a 11 digit format so just signed up with random number which gave me verification page with customerID in the URL. Changing the customerID to an existing won’t give you anything because those accounts are already verified. (Below is the request)

Intercepted the request and sent to repeater but nothing useful in response, no JSON. Entered random code but still not working so intercepted the Resend code request which gave only a customerID in request

Vulnerable request

So just forwarded the request as it is and it just gave out the confirmation code in the response and here the code is purely dependent on the customerID so parameter based IDOR is also possible. Changed the customerID to 6204 to 6203 and forwarded the request! Wait for it, because the parameter is not properly serialized the value we are changing is directly refers to a system object so it exposed the verification code of the existing users too.

Tell me his/her OTP … okay its six two xx xx xx DAMN

They’re just used OTPs, nothing critical but still it is a parameter based IDOR. It’s not a bypass but they’ve poorly configured the verification code process. Video PoC will be available after the patch so stay tune.

31-Dec-2018 11:59 pm → Bug Reported