Improper phone number validation to account takeover

Hi Everyone!

Hope you are doing well. I am back with another bug.

Whoami: I am Shesha Sai C, Im a bug bounty hunter and security researcher

Let us consider the site as redacted.com as the program does not support disclosures.

I know lot of you guys think this as such a drag but this blog is not about the target, it is about knowledge sharing.

Lets Dive in!

The application does not have much of scope to hunt on all it contains a signup and login page with phone number that shares OTP, No PII disclosure all technologies are up-to-date. Damn!!!! i know the feeling and i was like

Now, time where the story begins the signup page contain that the application allows only users from Russia to signup or enroll for an account, but we don’t have any Russian numbers.

Trail 1: trying to bypass this using my own number in the place of Russian ph number — no luck!, it accepts only numbers in Russian format

Trail 2: Tried with intercepting the Russian number field in burpsuite and without sending this to repeater changed the country code to +91 and my ph and send the request — guess what! it worked, i received a call for OTP validation

I have given the OTP and clicked on Verify it blocked me

Trail 3: Tried with intercepting both the OTP generation request and OTP verification request in burpsuite and changing the number and country code- It Worked Amigos!!

Steps to Reproduce:

  1. Visit the signup page: https://redacted.com/signup

Tip: Once a great man said when you’re stuck take a cup of boost and try again- PS: it is me

Timeline: This bug was submitted 3 months back and was remediated.

Hope you learned something new and let’s catch up in next story.

If you have any queries please reach out to me on LinkedIn or Twitter i will be happy to help.

Ignore me, i will make you regret