How I bypassed the OTP verification process? Part — 2
I hope you have had read the Part -1 article if not, then do visit the link below and check it out there, to understand this one properly.
Well, don’t worry even if you didn’t read it, let me give you a brief summary of my previous article. I was able to create a new account under an unknown number ( which could have belonged to anyone ) cause I was able to bypass their OTP verification process and all this was possible as I carried this brute force attack via Burp Suite.
As a responsible son, I discuss all of my hacks with my dad and he came up with a brilliant reply when I told him about this hack, “So what if you can create an account under my mobile number, how it’s anyhow useful to me if I still have to pay for my tickets?”. I gave him a small lecture regarding identity theft and how the basic security feature “non-repudiation” doesn’t stand here, but to a layman it actually wasn’t such big a hack. I decided to spice things up.
Let’s dig in!
Now, that I already know that I have bypassed their OTP system once, I had to find a way how to get the tickets for free i.e. not pay for my tickets. Cause if you are like my dad then definitely it’s no fun to create account under anyone else’s phone numbers, the real fun is when you watch those movies when someone else pays for them. I mean there is something so soothing about it that I can’t even begin to describe.
The problem was either I had to hack the payment gateway, which I had done a lot of time before or get into someone’s account who has already paid for the ticket and get the ticket and seat number. But keeping in mind how lazy I am I stuck with using the OTP bypass method. Right then this wonderful idea popped into my head when I was trying to break into my account “Forgot My Password”.
I was a fan of this feature, as I used it to get into other people’s Facebook account like 6 -7 years back, but never really focused on it now a days. So I decided to give it a try for old time’s sake, who knew it would have worked.
Forgot My Password
So, I proceeded with Forgot My Password option, I was prompted to enter my phone number which I had used to make my account ( the image above). Once I entered the mobile number I was presented with the following on the OTP verification page, and the same instant I received the OTP on my phone.
So, I turned to my ultimate tool, Burp Suite. I intercepted this packet and carried out the brute force attack. I already knew brute force was allowed as I mentioned in the previous article.
I knew the OTP is a six digit number, I let the brute force attack for sometime and voila! I got the option to reset the password.
I went ahead with the reset password feature and I was in my account in no time. I had full access and definitely I had the ticket details which I had booked earlier. So pretty impressive huh?
As I discussed earlier this whole hack and many others were possible because of the lack lustre of the security personnels where they do not apply any max limit of retries. This allows the attackers to try out all the possible combinations which at last leads discovering the password or the OTP in this case. A max number of retry limit must be set to stop these kind of attacks.
If you enjoyed it please do clap and happy hacking!
P.S. Do tell me about more interesting hacks that you might be working on and let’s see if we can team together, comment below.
Twitter : twitter.com/aditya12anand
LinkedIn : linkedin.com/in/aditya12anand/
E-mail : [email protected]