Hi, amazing Hackers, its Raidh_Here. Hope you all are doing good. I am again with a cool google VRP write up. So without wasting any time let’s jump into the write up.

BEGIN THE READ:

It was night and was looking at my pc like everyday. After thinking of many hours, I just took a break and made a cup of coffee . I just picked up my phone and saw a message about verification code for Google Merchant Center.

I sipped my coffee and sat in front of my PC and searching for any verification code leakage.

While sending the OTP verification request, It seemed so interesting like this.

I picked up my phone, checked the verification message.. wait what!!

It was the same SMS content that I got from my phone. I was like whoooo what the hell.. I tried to make some changes in the OTP . But it didn’t work

I tried to make some changes in the SMS format. Yes, it worked .So I can edit the SMS format, added any content that I wanted and able to send to victims like this.

“ send your verification code to attacker.com {otp} ”

“send your verification code to this number to verify your account {otp} ”

I created a report on the behalf of Google .They closed as Won’t Fix (Obsolete). But after explaining the attacking scenario, they accepted the bug and rewarded $$$ bounty…..

“while searching the verification code leaks don’t forget to search the SMS format to” :D

TIMELINE

Jan 21, 2021 11:44AM — REPORTED
Feb 11, 2021 10:24AM — Status: Won’t Fix (Obsolete)
Feb 16, 2021 06:23PM — Status: Accepted (reopened)
Feb 23, 2021 08:20AM — REWARDED $$$