Finding my first bug : Account Takeover
Hey everyone,
I just started my journey with bug hunting and this is the first valid , non-duplicated bug I found.
A brief about login feature implemented on the website , lets call it abc.com . While logging into abc.com, it sent a 6-digit OTP to the phone number and only after entering that OTP the application verifies the legitimacy of the user and ensures that only an authorized user with a valid OTP can get access to the user’s account.
If the same request is intercepted using any proxy tool , it can be seen that the OTP for the phone number is already there in the response. Therefore the attacker doesn’t need to have access to the user’s phone to verify himself.
Simply on giving this OTP to the website , an attacker could access the user’s account.
