Account Takeover featuring OTP

Namaste everyone

Today I’ll share a simple(easy to find and easy to exploit) yet critical vulnerability that I found in many android applications. This vulnerability allowed me to take-over any user’s account just by using their phone number or email address.

So the Vulnerability I found was that these applications were either generating the OTP for logging in or password reset on the client-side(that is within the application) or the OTP generated at the backend can be seen in the intercepted HTTP response of the HTTP request sent for OTP generation.

OTP: One Time Password

POC:

1. In the first application the only login method is by using your phone number and OTP sent to this number.

In this application, OTP is generated within the app and then this OTP is sent to the given phone number.

OTP can be seen in POST request

2. In the second application one can reset any account’s password just by using their E-mail address.

Just click on forgot password enter email address and click submit and you will be able to see OTP in the response of this HTTP request.

HTTP request to generate OTP

OTP received in the HTTP response

3. In the third application also the OTP can be seen in the HTTP response and instead of email here we have to provide the phone number.

GET request for OTP generation at the backend

HTTP response with OTP

I have found similar OTP related vulnerabilities on many android applications, all of these vulnerable applications depict what android application Developers must take care of (such as not to generate OTP within the app or sending it over HTTP requests or responses in cleartext form), to prevent any malicious actor from stealing a users data or causing any other harm to any users of their applications.

Hope you find this article informative, any constructive suggestions are whole-heartedly welcomed.

🙏