Account verification code bypass lead to a $4000 bounty
I hope you are doing well. Today I want to talk about one of my findings. It was a private program and the bug is not fixed yet. So I am not going to include any information about the program/platform here. Let's call it redirect.com.
So redirect.com has a session logout feature. This means on redirect.com there is one option called the session. Here users can see login devices and can log out user/block devices of the particular user.
When a user blocks a device. There is 2 option to unblock the device
- Users can unblock from the login device.
- Block device login again and for security, redirect.com sends a 4-digit code to the user's email address.
The second option looks interesting right. It looks like a hidden feature to me. So I log in and now redirect.com asks for a 4-digit OTP code. I tried everything from my checklist and nothing works.
The request was a POST request and the content type is application/JSON. I read it somewhere that you can use an Array to bypass OTP verification. Like this (let day the valid OTP was 1337)
I tried this and it worked. I reported to them and paid out $4000.
If you are following me on Twitter you know about this finding. I shared a screenshot before.
As you can see I did nothing crazy. The only thing I did was spend time on target and understand features. It was a hidden feature for me. So be the first one to find a hidden feature and test :)
Let me know if you like this.
Thanks for reading!