OTP Bypass + PATO = 100 Dollars Bounty

Hello ppl! This is Gnana Aravind here with another awesome write-up explaining the story of my recent bounty. This month I was awarded with 100 dollars from a private program for securing their platform, so lets see how I caught those bugs from the bucket…

Back Story

I was wildly searching for new VDP’s and Bug Bounty Programs on the internet and surprisingly got an Indian site which was offering a gud bounty for researchers. I remember that once I have used their platform for some works, so I was very clear about the functionality of the website. Then without wasting much time I packed my self for hunting there web-app. The target was an eCommerce site with same features of what a regular shopping site have.

Getting Into Beast Mode

I totally spent around 3 to 4 hours on the website and tested the overall site for XSS, SQLs, IDORs and lot more things but caught nothing. I always luv to test the password and sign-in functionalities as they worth a lot. If you have missed my previous write-up on “How I Bypassed a Login Page in 2 Mins” get it from my profile.

Moving on to the bug story, I stated testing the Sign-in and Password Reset functionality but got nothing again. I tried attacks like parameter tampering, Oauth Misconfig, Auth token leakages and lot more till no hope. But you know what I was very confident about the working of the sign-in page as I tested in again and again. Now the master piece is here. I checked the sign-up functionality and found something there which gave me some hope…

This is how the sign-up function works. Enter user mobile number > User gets OTP > Enter correct OTP in site > New registration begins… What my mind told me was to “Try parameter tampering here” as I got failed in the sign-in functionality. So I tried to tamper the parameter to make a new user registration with out a valid OTP. And you know what…. It worked… I was able to create an account without a valid OTP.

Repose got for an invalid otp

So what I dis was, I just changed the parameter from, “isValid:false” to “isValid:true” and there we go with our OTP bypass… To increase the severity of this bug I chained it to Pre account Takeover. The attack scenario is, If an attacker knows an users number, he can create a account using that number withoot the user’s knowledge.

Timeline

First Report : 22 Feb 2022

First Response : 23 Feb 2022

Bug Fixation : 5 March 2022

No reply from the Company : (Sad Bgm Rolls)

Bounty Credited : 8 April 2022

Final Touch

From my 3+ yrs of bug bounty journey, one thing I learned was more than Hard work and Smart work, you also need to have some luck 😂😂😂. Yeah thats true… Comment it if you agree… Never stop exploring stuffs, be committed to your passion and share your knowledge. That’s the end of this write up. If you want me to take any Bug Bounty or Ethical Hacking Classes in your events, reach me out (Mail: gnanaaravind07@gmail.com) for free sessions. I luv sharing my knowledge. I mean if you conduct any events I can be a speaker there.

I too run a student community where we conduct lot of technical events for the enrichment of young people. Connect with us if you wanna explore the world and boost your career. Join us @cyberonics_official.

See you in yet another write-up guys, visit my profile and follow for more such write-ups…

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store