OTP Bypass Via Response Manipulation
Hello everyone, I’m Marathe Rao, and in this write-up, I will explain how I could bypass OTP verification.
About OTP
OTP stands for one time password. It is usual to get an OTP code, which is used to authenticate users during Creating Account. OTPs are designed to provide an additional layer of security, ensuring that only authorized individuals can access specific accounts.
Now let’s see the steps.
- Enter the details like name, phone number and email to create a account.
- In phone number field add victim phone number and in mail add attacker mail.
- Now OTP sends to the victims phone number now enter 000000 and capture the request do intercept and forward.
4. Change the response null to 0 false to true forward.
5. Successfully bypass the SMS OTP.
Although the SMS/Phone OTP verification can bypassed, email confirmation remains intact. However, the attacker can confirm the victim’s account by using their own email address during the registration process.
Report: 01-03-2024
Accept: 03-03-2024 Approve has medium severity
Waiting for bounty $$$😉
Thanks for reading. Hope you liked it.
𑘕𑘧 𑘦𑘮𑘰𑘨𑘰𑘬𑘿𑘘𑘿𑘨 !
