Easiest Authentication Bypass Ever !!!

September 4th 2015,

I was given a revaluation pen-test for a bank's Android/IOS application.
It took me hardly an hour for replicating the test for previous vulnerabilities. When I was done with my work I still got time for sending my report to client. So I started looking to my burp suite history and suddenly I noticed a HTTP Response which was carrying a verification code parameter...

I was shocked as the code was same as OTP that I requested earlier that hour for login to my account. As million question coming to my mind such as how ?, why ? ...etc One thing was clear that the application authentication via OTP was going on at client side.

I had a thought, If the OTP & Verification Codes are present in HTTP Response I can easily Bypass the authentication plus I can change the password for any account I like all I want was victim's User Name or email or mobile number.

So, here goes the POC for How client side OTP Checked is dangerous for users ?

1. I started login with victim mobile no. & user mobile number was checked correctly.

2. Then I was navigated to Enter Password, Forgot Password activity so I  attached my Burp Suite for HTTP Request interception.

 3. I clicked on forgot password & a request was generated, I forward the request & intercept the response for that request. Response I received was having verification code.

4. So, I got the verification code, & I was redirected to Verification activity.

5. I put the OTP in form & pressed OK. Then I was successfully entered the Change Password Activity.


-Raghav Bisht