OTP Bypass

Hello Hackers,

This time I am going to discuss an OTP leaking vulnerability that leads to account takeover in an e-commerce website.

Let’s Start

What is OTP?
A one-time password, also known as a one-time PIN, one-time authorization code or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device
(source: wikipedia)

While searching for a bug bounty program on google, I got an e-commerce website. I started to check the website’s register and login page, I intercepted the requests and started searching for any sensitive data but I didn’t find anything.

After I registered an account and while trying to login, then I figured out the interesting thing on that website. I should have found the vulnerability in the register page itself.

Let’s Discuss it

After Registration, there were two options to login: with the password or with OTP

I used Login with OTP, entered the registered number, and clicked LOGIN WITH OTP

Then I checked the cookies, there is a new cookie appeared ‘otpcookies’ with the OTP value.

I entered the OTP and validated it.

We successfully loggedin to the account.

We can takeover any account by knowing their mobile number only. We can use the same method to register the account, and the most interesting part was there was no validation of mobile number and email id, which means we can register even with non-existing numbers and emails. These all happened on an e-commerce website :(

I reported the issue to the admin and they responded within hours, and accepted the bug. After that no response from their side and no updates till now. Let’s wait.

Thank You For Reading ….

Twitter: https://twitter.com/ag3n7apk

Linkedin: https://www.linkedin.com/in/abhijith-pk-ag3n7/