Bypass OTP by setting OTP in request
Introduction:
The value of safe authentication techniques in our digital era cannot be underestimated. The One-Time Password (OTP), which adds an extra layer of protection by creating a different password for each login attempt, is one extensively used technique. However, recent discoveries have shed light on a critical vulnerability
that could potentially compromise the security of OTP-based systems. In
this blog post, we'll delve into the details of this vulnerability and
discuss its implications for mobile number verification processes.
.png)
Vulnerability Description:
When a user registers on the application, the application sends an OTP to their mobile number. And the request to send this OTP has a parameter called otp which is NULL initially, by setting the OTP in this parameter, you will get the same OTP on the specified mobile number number. It indicates that the OTP we set earlier will be the same OTP and we can use it for user registration.
Impact:
The consequences of this vulnerability can be severe, as unauthorized access to accounts can lead to various malicious activities. For instance, attackers can gain control of sensitive personal information, initiate financial transactions, or even impersonate the legitimate user. Such unauthorized access can cause significant harm to individuals and organizations, compromising their privacy, finances, and reputation.
Now let's look for vulnerability practical :)
Proof of Concept:
Image 1.1: Image contains requesting OTP.
same OTP that we set into request.
Stay tuned for more insightful articles on Bug Bounty.
Stay informed, stay vigilant, and stay secure!
.png&description=Manipulating OTP Requests for Unauthorized Access [ OTP Bypass ]){kind=link}
0 Comments