Account Takeover by OTP bypass
Hey everyone! This bypass is little bit interesting and you will get to learn a lot hopefully.
So I was going through this website which actually deals with teacher’s login and education stuff (Government website). Let’s call this website “example.com”.
In-order to login as a teacher you need to give the registered mobile number and then the example.com will verify it. I have members in my family who are in education sector so I tried with their number and I was able to login after complete verification.
Then I thought let’s try to bypass this verification process. Fortunately, I got a contact number in the script of the web application (another Flaw!==> hidden treasure).
I clicked on teacher’s login and entered the contact number that I found in the script(say Victim’s number).
The moment I clicked on “verify” button, a new screen to send the OTP popped on screen (If I enter my mobile number and click verify then it will not allow me to proceed because I’m not registered as a teacher in this portal) Now If I click on send OTP then the OTP will got to victim’s number but I won’t be able to see it.
I tried intercepting the request in Burp to see if the response is leaking the OTP or not, but no luck there. Then I opened the inspect element for the same page and investigated the mobile number field. As it can be seen in screenshot it is showing the mobile number field is “disabled”. I changed the status to “enabled” and I was able to edit the mobile number.
At this point of time, I am already verified with the Victim’s mobile number the only thing I need is OTP to proceed further. After I enabled the mobile number field I changed the victim’s mobile number with my mobile number and hit on “Send OTP” button.
Guess what!! I received the OTP on my number. Quickly, I entered the OTP.
The moment I entered the OTP, got logged in into the victim’s account with complete access.
Issues with the web application:
1- The mobile number is exposed in the script
2- The “verify” process is validating the mobile number on server side but the “Send OTP” is not validating which led me to get the OTP on my number.
3- Further I tried and the application was also vulnerable to OTP bruteforcing.
Quickly made the POC and reported it to NCIIPC, received the usual response. Happy to investigate and secure the application.