Account Take Over due to No Rate Limiting in a million dollar company
Ever since I started hacking I always wanted to make sure internet is secure. So long back I did some google Dorks and found an responsible disclosure program and I set that as my target of the week and started hacking on it.
Let’s consider the target as target.com which is a online ecommerce store like amazon and flipkart. So I get started from subdomain discovery using Subfinder one of my favorite tool and I found a subdomain to make the shopping stuffs online.
Let’s consider the subdomain as shop.target.com I quickly directed to the URL and I had register and sign_in features so I quickly registered with necessary Informations and created an account. The Application is having two types of sign_in features,
- Sign_in with Mobile by sending 4 Digit OTP to the registered Mobile Number
- Sign_in with email and password
- I chose to sign_in with Mobile number to check whether there is any rate limiting implemented or I can simply brute force the OTP and login. Since the Application is using 4 digit code to verify the OTP it will be more easy to brute force the codes.
- I requested OTP for my registered mobile number to login and entered some random codes in the OTP input field and Intercepted the request with proxy tool Burp Suite.
Intercepted the OTP verify request and sent it to the Intruder
Configured Intruder payload and threads to brute force
Each and every response is configured to result in 200 OK response code, so I decided to check the length of the response and at some responses I have seen the length is 1424 and checked the response and it results in success.
I just entered the OTP on the intercepted request and sent it and the codes still worked. It seems the application does not have any rate limiting and whenever you request for OTP if OTP is not used before the application generates same OTP as new one until it Used to validated. Now the Users account is taken Over.
We can’t do brute forcing to take over users account all the time right, so I came up with an idea to take over victim account completely. I directed to my account and changed the victim mobile number as mine and updated the changes.
Guess what there is verification for updating the mobile or email ID anything so you can just brute force the OTP and login to victim account and change the mobile number or email ID that you own.
I quickly logged out and try to login with my mobile number to see if the changes I did earlier is working or not.
