Greetings, I wanted to share with you the OTP Bypass vulnerability that I found in a VDP.
- Summary:
In order to open a support ticket, you must verify with the code sent to your e-mail address. However, as the backend does not check for OTP entry, you can create a support ticket without entering a code.
- Description:
I entered an email address and started reviewing the request.
When I didn’t get the result I wanted in the request, I decided to take a look at the response. I saw the Location header which redirects you to a page where you can verify the OTP. (Location: /Basic/EmailValidate)
I forwarded the request and got to the page where I had to enter the OTP. I entered the code sent to my email address and took another look at the response, it directed me to the /Basic/Form path with the Location header. When I forwarded this request, I was finally able to reach the page where I could create the support ticket.
Now that I got the information I wanted, I went back to the beginning to try something and entered an email address, I intercepted the request with Burp, then Do intercept > Response to this request to manipulate the response. I edited Location header /Basic/Emailvalidate to /Basic/Form
I manipulated the response and reached the page where I could create the ticket directly instead of the page where it requested the OTP entry.
Now I can create a ticket without verification with the email address I want. I can request in-account transactions and ask them to edit their account details. Also, since a copy of the ticket will go to the victim, I can change the content of the ticket as I wish. (I can add the title, content and I can even upload files to the attachment. I think it can be used for phishing because it is a Cryptocurrency trading site.)
I reported it and it was fixed.
Thank you for reading, happy hunting! :)
Twitter: @ertugrulphp
