Account Takeover by OTP Bypass

Hello everyone, this is my 2nd write-up, the first one is about SQL Injection (click here to read). In this write-up I will be sharing the method that how I broke reset password logic to get account takeover without any interaction needed.

Before we start into what steps I performed, I need to first explain what was the basic functionality of password reset on this website.

Password Reset Functionality

Simply, When the user wants to reset his password, he enters his mobile number then A OTP will be sent to his mobile number. After entering the OTP the user able to change his password.

In this website the password reset functionality flow had 3 steps.

Step-1 : Entering mobile number on which you will get OTP.
Step-2 : Confirming the OTP that you got in Mobile number.
Step-3 : Changing the password page if the OTP is correct.

So I hope with this, how the basic functionality is working is clear, now let’s discuss how I got account takeover vulnerability by finding a flaw in logic of this functionality.

How to find this vulnerability ?

Need two accounts for testing purpose.

9999999999 (Attacker)

8888888888 (Victim)

1. So in first step ask for OTP for reset password for attacker mobile number (9999999999).
2. Now you will get the confirmation code in attacker mobile number, enter the correct code and validate it (At this point capture this request in Burp Suite)
3. Now in Burp Suite do Right Click > Do Intercept > Response to this request
4. Now Forward and you will get a response , copy it and save it somewhere else for future use(This is the response when OTP is correct).
5. Now you will get the Step-III page, but here we don’t have to change the password of attacker, so go back again to Step-I page, and now this time ask a OTP for password reset of Victim mobile number (8888888888).
6. This time victim will get OTP in his mobile number, but since we don’t have access to his mobile we will enter any random number, eg: 000000 (At this point capture this request in Burp Suite).
7. Now in Burp Suite do Right Click > Do Intercept > Response to this request
8. Now Forward and you will get a response (This is the response when confirmation code is incorrect)
9. Now replace the previous copied correct response with this response and click on forward.
10. You will see we have validated Step-II with wrong OTP and correct response and now we are in Step-III.
11. Now simple write a new password submit it and then try to login victim mobile number with new password.
12. You will be able to login hence Account Takeover Successful.

Thanks for reading : )