I discovered this vulnerability in a private program, I will name it: target.com, Before we keep going on explaining we should consider that this vulnerability occurred due to wrong application of the reset password method via API which led to the leakage of the user live token in the response.

While I was doing recon in this target, I realized that all functions without exception are directly related to one API, This target was an interface for it’s API, So it made sense to start with functions scanning for bugs, And while I was checking the account settings, I found OTP by phone number option, So I turned it ON and logged out.

I directly logged in and decided to check for rate limit bypassing and other bugs related to OTP, But unfortunately, there was a rate limit implementation in the API itself and I wasn’t able to bypass it.

Rate limit mechanism response

I checked also if I can bypass OTP by resetting my password via email address, But the app will ask me to sign in again with my new password and insert the 6 digits OTP code that was sent via SMS, So I wasn’t able to bypass it this way.

So it was time to check for every request and it’s response, I turned my intercept ON and started by checking the reset password method responses, Nothing was interesting, I logged into my testing account email and checked the reset password link, The token in the link was complex and I couldn’t brute-force it.

I requested the link and inserted my new password, I pressed change my password button and checked the response, I could confirm that the reset password API method sets a new live token for my account and leaked the token in the response, By this live token, I was able to use all the methods in the account via API without the need to sign into the app interface.

Token leakage in response

But I chose to find a way to stop the OTP without signing in, And after checking the account settings I was able to find the API request that stops the OTP via phone number, So I entered the request in the repeater, And I was able to stop the OTP via API live token and logged into the app interface.

Disable OTP API request

Summary

I was able to bypass the OTP by resetting password via email address, We should consider that I was able to use every method in the account via the leaked API live token in the reset password method response, But I preferred to find away to stop the OTP, And I stopped it via disabling OTP API request, And therefore I was able to open my account without the need to insert the OTP code.

Timeline

  • Report (Jul 7th)
  • First response (Jul 7th)