How I turned 0000 into $600: Phone Verification Bypass
Hello Hunters, This is a Tale of how I decoded the Verification flow of a well-known web application & bypassed the Phone Verification process because of the Initial code set at the Backend ❤
Damn Excited! Can’t wait to share this…😍
The Web Application was a Server Hosting Management System with 24x7 support, Datacentre facilities, etc. After creating an account, a server of the user’s choice is hosted which means a Resource was being utilized. However, the Unnecessary creation of accounts could lead to excessive exploitation of available resources.
For which, a Phone verification mechanism was implemented where the user has to enter the 4 digit code which was told, on a call received on the entered mobile number. And only upon entering the correct code, the user had access to the functionalities offered.
The Phone Verification mechanism looked like this,
Here is the catch,
While testing, I had to create multiple accounts & going through this process seemed hectic so I tried to bypass this. So I started forming test cases for the inputs (phone number, verification code). Out of many test cases formed, this was the one that had a strong logic :
Test Case: As you can see, the “Verification code” input is already placed without entering the phone number. The normal flow should have been, asking for the phone number first & then the verification code. But here, things seem different 🤷♀️
So What if I enter any value in the “Verification Code” input box before entering the phone number and click on “Verify Code”?🤔
What if the developer had set a variable at the backend that held some initial value before the user clicks on “Call me Now”?😮
Going with the test case, I tried 1234, 1111, 8421, etc. but none of them worked. However, for 0000 the account got verified successfully meaning that the Phone verification was bypassed.
Steps Followed :
- Create an account
- A Phone verification mechanism was implemented and also the Verification Code was asked at the same time making it vulnerable to the test case. So without entering the Phone number, enter 0000 in the “Verification Code” input box.
- Your Account will be verified successfully.
So my What ifs were correct which means that a variable was set at the backend that held an initial value 0000 before the user clicks on “Call me Now”!
Hence, the title: “How I turned 0000 into $600” 💯😎
The Submission was triaged and I got rewarded with a $600 bounty under the P3 category 😁
That’s all for this article, I hope you guys enjoyed this form of learning ❤
Stay Safe 🤗