top of page

OTP bypass via Password Reset Functionality

Updated: Aug 22, 2022




Description of the vulnerability Whenever a user forgets his password, he has an option to reset the password by entering his User ID, Application will then send an OTP to the registered Mobile Number to verify the registered user in the database. The attacker enters any 6-digit number and intercepts it with the burp suite then he will change the victim's Mobile Number to his Number then he is able to reset the password and can login into the victim account.

Impact: High

  • It is a critical issue because an attacker can change any user's password without any user interaction.

  • This attack does not require any interaction from the victim to perform any actions and yet the account can be taken over by the attacker.

  • An attacker can fully takeover any user's account.

Remediation:

  1. Implement OTP expiry.

  2. Implement OTP client and server side verification not just Response verification.

  3. Discard the OTP after 3 or 5 wrong attempts and send a new OTP all again for trying again.

Steps to regenerate: Step 1: Open the respective site. ex: https://example@otp.com




Step 2: Click on Forgot Password in Customer Login Page

Step 3: Enter Any User ID which is Available in Database, Click on send otp (Attacker Can easily get the user ID through username enumeration). Step 4: Enter Any OTP for example 000000, Click on Proceed


Step 5: Open Burp intercept the response


Step 6: Change the Invalid OTP to “Success”



The request will take you the password rest page, Change the password and login into that target account.



47 views0 comments

Recent Posts

See All

Attack on Florida Hospital

According to the healthcare network, an apparent cyberattack has forced some emergency patients to be transferred to other facilities and some non-emergency surgeries to be cancelled. Tallahassee Memo

Comments


bottom of page