How We Secured Our Client’s Platform Against Interaction-Free Account Thefts

During a recent pentest engagement with CyberAR LLC, we uncovered a critical security vulnerability in the OTP (One-Time Password) verification process of a popular web application. This vulnerability allowed us to bypass OTP verification, leading to a complete takeover of user accounts. Here's how it went down.

---

The Discovery

Our target was a web application that implemented OTP-based authentication as an added layer of security. The user would enter their email, request an OTP, and then submit the received code to gain access to their account. It all seemed secure at first glance—until we dug deeper.

Initial Exploration

The first thing we noticed was that the OTP mechanism didn't include any rate limiting. This was curious because, without proper rate limiting, an attacker could theoretically brute force the OTP. But we weren't just going to theorize—we needed to test it.

Using Burp Suite, we intercepted the OTP submission request. The request looked simple enough:

POST /api/v1/signin/email/verify HTTP/1.1
Host: api.target.io
Content-Type: application/json

{"email":"victim@gmail.com","verificationCode":123456}

At this point, we set up Burp Suite's Intruder tool to brute force the OTP field.

Executing the Attack

We configured the Intruder to iterate through possible OTP values. Since the OTP was six digits long. We figured that even with no rate limiting, the attack might take a while, but we were patient.

With the Intruder running, we monitored the responses. After several attempts, the server responded with an HTTP 200 status code. Bingo! We had guessed the correct OTP.

The Exploit: Account Takeover

With the correct OTP in hand, we extracted the OneTimeToken from the server’s response. This token was the key to the kingdom.

Next, we used the OneTimeToken in a follow-up request to the API:

GET /api/v1/oneTimeAuth?oneTimeToken=VALID_TOKEN HTTP/1.1
Host: api.target.io

This request returned the full authorization token for the victim’s account, effectively logging us in as the user. From there, we had full control over the account—accessing personal data, modifying account settings, and more.

Lessons Learned

This vulnerability highlighted several critical issues in the OTP verification process:

• Lack of Rate Limiting: Without rate limiting, brute-forcing the OTP was trivial.

• Insecure OTP Mechanism: The system should invalidate OTPs after a few incorrect attempts or after a short period.

• Inadequate Monitoring: The application lacked sufficient logging and monitoring, allowing such an attack to go undetected.

Conclusion

This pentest engagement with CyberAR LLC served as a stark reminder of how seemingly minor oversights in security mechanisms like OTP can lead to severe consequences, such as full account takeovers. Always think critically about how each piece of the security puzzle fits together, and never underestimate the importance of comprehensive security testing.

Stay curious, stay secure, and happy hacking!

Resources

2FA/MFA/OTP Bypass - HackTricksbook.hacktricks.xyz

API4:2019 Lack of Resources & Rate Limiting - OWASP API Security Top 10owasp.org

Blocking Brute Force Attacks | OWASP Foundationowasp.org

CWE - CWE-307: Improper Restriction of Excessive Authentication Attempts (4.19)cwe.mitre.org