Day 58/100 Hack and Improvement

less than 1 minute read

Day 58 comes with more tails on account take over. I found this worth reading due to the fact of the process thought of the writer. Congrats to Avanish Pathak who made the writeup.

Account take over by using the attacker’s OTP code in order to login to any valid account.

The attacker found himself looking brute forcing the OTP code. (Un)fortunatelly there were certain restrictions at the time to bruteforce the OTP, such as rate limit (429 to many requests). Then at the time to make the request, the content of the POST request looked like.

{“ email ”:“admin@example.com”,“code”:XXXX }

Where by just changing the email, the attacker was able to login to other accounts. Full writeup HERE

Leave a comment