Account Takeover by OTP bypass

Hey everyone! This bypass is little bit interesting and you will get to learn a lot hopefully.

So I was going through this website which actually deals with teacher’s login and education stuff (Government website). Let’s call this website “”.

In-order to login as a teacher you need to give the registered mobile number and then the will verify it. I have members in my family who are in education sector so I tried with their number and I was able to login after complete verification.

Then I thought let’s try to bypass this verification process. Fortunately, I got a contact number in the script of the web application (another Flaw!==> hidden treasure).

I clicked on teacher’s login and entered the contact number that I found in the script(say Victim’s number).

The moment I clicked on “verify” button, a new screen to send the OTP popped on screen (If I enter my mobile number and click verify then it will not allow me to proceed because I’m not registered as a teacher in this portal) Now If I click on send OTP then the OTP will got to victim’s number but I won’t be able to see it.

I tried intercepting the request in Burp to see if the response is leaking the OTP or not, but no luck there. Then I opened the inspect element for the same page and investigated the mobile number field. As it can be seen in screenshot it is showing the mobile number field is “disabled”. I changed the status to “enabled” and I was able to edit the mobile number.

At this point of time, I am already verified with the Victim’s mobile number the only thing I need is OTP to proceed further. After I enabled the mobile number field I changed the victim’s mobile number with my mobile number and hit on “Send OTP” button.

Guess what!! I received the OTP on my number. Quickly, I entered the OTP.

The moment I entered the OTP, got logged in into the victim’s account with complete access.

Issues with the web application:

Quickly made the POC and reported it to NCIIPC, received the usual response. Happy to investigate and secure the application.

Stay Curious Stay Protected!!



Penetration Tester | Masters in Information Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store