Bug bounty writeup : 2F/OTP Bypass on Registeration via Response manipulation
Hello folks.
This is a write-up on the latest bugs I have reported in collaboration with Abdullah Mohammed.
Summary
The web app permits users to create accounts using their phone number and enter the OTP to complete the registration process. The bug is about bypassing the OTP at the registration page by manipulating the response.
Steps to reproduce (PoC):
- Create an account https://example[.]com/register
- Fill in all the required data enter the phone number and send the form.
- We will receive a five-digit OTP on the phone number used for registration. Enter any random 5 digits, e.g. 00000
- Intercept the request with burp suite proxy, choose the option “Do intercept >> response to this request” and hit Forward.
5. We will receive a response with 500 500, modify it to 200 OK, and forward the request
Successfully! The user is created
We were able to create a user using his phone number and bypass the OTP.
Impact
The impact is that attackers can create accounts on behalf of the victim using their phone number only!
Happy hunting!
Abdullah Mohammed:
LinkedIn (Abdullah Mohammed)
Twitter (@abdlah_md)
Noor Alhomaid:
LinkedIn (Noor Alhomaid)
Twitter (@AlHomaidNoor)