Bug bounty writeup : 2F/OTP Bypass on Registeration via Response manipulation

Hello folks.

This is a write-up on the latest bugs I have reported in collaboration with Abdullah Mohammed.

Summary

The web app permits users to create accounts using their phone number and enter the OTP to complete the registration process. The bug is about bypassing the OTP at the registration page by manipulating the response.

Steps to reproduce (PoC):

1. Create an account https://example[.]com/register
2. Fill in all the required data enter the phone number and send the form.
3. We will receive a five-digit OTP on the phone number used for registration. Enter any random 5 digits, e.g. 00000
4. Intercept the request with burp suite proxy, choose the option “Do intercept >> response to this request” and hit Forward.

5. We will receive a response with 500 500, modify it to 200 OK, and forward the request

Successfully! The user is created

We were able to create a user using his phone number and bypass the OTP.

Impact

The impact is that attackers can create accounts on behalf of the victim using their phone number only!

Happy hunting!

Abdullah Mohammed:

LinkedIn (Abdullah Mohammed)

Twitter (@abdlah_md)

Noor Alhomaid:

LinkedIn (Noor Alhomaid)

Twitter (@AlHomaidNoor)