#3. Bug Bounty Series: OTP Verification bypass leads to unauthorized booking appointment
Hello guys š Iāve returned with yet another article that is OTP verification Bypass through which I was able to access and do the booking in application with any email/phone number.
What is OTP?
One-Time Password(OTP) is a dynamic password valid only for one session and expires if not used within the time limit(which might vary between 60 seconds to 5 minutes).
Impacts of OTP bypass:
- Attackers can gain access to user accounts without authorization.
- Financial accounts or services protected by OTP can be compromised.
- Attackers can use compromised accounts to conduct various types of fraud.
- Sensitive information stored in compromised accounts can be accessed and exfiltrated and many more.
So as usual I was to exploring the website and understanding the functions used on it. The target application is a booking appointment website where we can book an appointment. After registering , I login and started to fill the appointment form. Assuming the target as www.example.com as Iām not allowed to reveal the domain name.
Letās get to the point nowā¦.
Steps to Reproduce:
- I started by logging into the application using an email id.
2. After exploring the website and features I landed on to the page where a user can book an appointment for visa.
3. I started booking an appointment and entered fake values for the appointment details.
4. After filling the details, for the next step the application was asking for an OTP verification (via email or phone).
(This was preventing the people from booking an appointment with fake email and/or phone information.)
5. I checked to bypass using the Burpsuite but it didnāt worked. At the front end then I opened the developerās option and checked the storage mechanism in the application; where there was an OTP parameter i.e. is_otp_enabled.
6. To turn off the OTP check at the client side, I attempted to modify the value to is_otp_enabled: false in local storage.
5. After refreshing the page the OTP verification got disabled but sadly, though, due to the the application errors, I was unable to demonstrate to them the entire process for reproducing.
6. At the end I reported the vulnerability and requested them to investigate. Since they were able to replicate the vulnerability on their end, they approved my report.
Best practices for OTP are as follows:
- Enable OTP expiry.
- Implement both client and server-side OTP verification, rather than just response verification.
- After 3 or 5 unsuccessful attempts, discard the OTP and send a new OTP to try again.
So, thatās it for now and thanks for reading and I appreciate you taking the time to read. For other such writeups do visit the writeups.
If you found it useful, please click the buttonšand share it with others who have similar interests! + Feedback is always appreciated!!š
