Open in app

Sign in

Write

Sign in

Account Takeover by OTP Bypass

SRLSEC 🇮🇳
2 min readJul 12, 2021

Hello everyone, this is my 2nd write-up, the first one is about SQL Injection (click here to read). In this write-up I will be sharing the method that how I broke reset password logic to get account takeover without any interaction needed.

Before we start into what steps I performed, I need to first explain what was the basic functionality of password reset on this website.

Password Reset Functionality

Simply, When the user wants to reset his password, he enters his mobile number then A OTP will be sent to his mobile number. After entering the OTP the user able to change his password.

In this website the password reset functionality flow had 3 steps.

Step-1 : Entering mobile number on which you will get OTP.
Step-2 : Confirming the OTP that you got in Mobile number.
Step-3 : Changing the password page if the OTP is correct.

So I hope with this, how the basic functionality is working is clear, now let’s discuss how I got account takeover vulnerability by finding a flaw in logic of this functionality.

How to find this vulnerability ?

Need two accounts for testing purpose.

9999999999 (Attacker)

8888888888 (Victim)

  1. So in first step ask for OTP for reset password for attacker mobile number (9999999999).
  2. Now you will get the confirmation code in attacker mobile number, enter the correct code and validate it (At this point capture this request in Burp Suite)
  3. Now in Burp Suite do Right Click > Do Intercept > Response to this request
  4. Now Forward and you will get a response , copy it and save it somewhere else for future use(This is the response when OTP is correct).
  5. Now you will get the Step-III page, but here we don’t have to change the password of attacker, so go back again to Step-I page, and now this time ask a OTP for password reset of Victim mobile number (8888888888).
  6. This time victim will get OTP in his mobile number, but since we don’t have access to his mobile we will enter any random number, eg: 000000 (At this point capture this request in Burp Suite).
  7. Now in Burp Suite do Right Click > Do Intercept > Response to this request
  8. Now Forward and you will get a response (This is the response when confirmation code is incorrect)
  9. Now replace the previous copied correct response with this response and click on forward.
  10. You will see we have validated Step-II with wrong OTP and correct response and now we are in Step-III.
  11. Now simple write a new password submit it and then try to login victim mobile number with new password.
  12. You will be able to login hence Account Takeover Successful.

Thanks for reading : )

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

SRLSEC 🇮🇳
SRLSEC 🇮🇳

Written by SRLSEC 🇮🇳

203 Followers
22 Following

Offensive Web Application Security

No responses yet

Write a response

What are your thoughts?

More from SRLSEC 🇮🇳

See all from SRLSEC 🇮🇳

Recommended from Medium

Lists

Staff picks

827 stories1648 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2819 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams