Account verification code bypass lead to a $4000 bounty

Hello reader,

I hope you are doing well. Today I want to talk about one of my findings. It was a private program and the bug is not fixed yet. So I am not going to include any information about the program/platform here. Let's call it redirect.com.

So redirect.com has a session logout feature. This means on redirect.com there is one option called the session. Here users can see login devices and can log out user/block devices of the particular user.

When a user blocks a device. There is 2 option to unblock the device

  1. Users can unblock from the login device.
  2. Block device login again and for security, redirect.com sends a 4-digit code to the user's email address.

The second option looks interesting right. It looks like a hidden feature to me. So I log in and now redirect.com asks for a 4-digit OTP code. I tried everything from my checklist and nothing works.

The request was a POST request and the content type is application/JSON. I read it somewhere that you can use an Array to bypass OTP verification. Like this (let day the valid OTP was 1337)

I tried this and it worked. I reported to them and paid out $4000.

If you are following me on Twitter you know about this finding. I shared a screenshot before.

As you can see I did nothing crazy. The only thing I did was spend time on target and understand features. It was a hidden feature for me. So be the first one to find a hidden feature and test :)

Let me know if you like this.

Thanks for reading!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store