Home Account Takeover Rate limit Veris Veris.in Account Takeover

Veris.in Account Takeover

08:44

Read

Hey Guys! Today I'll share you my Account takeover finding on Veris.in, So no more waste of time and start.

I installed Android app of Veris and started testing it, In Veris app we need to first verify our number and then we can register, While doing this i captured my request and try to bruteforce the OTP and noticed that there was no rate limitation so now i can use anyone's number in my account. So i did reported it, Now that was not a big deal, Then i started testing further after so many things my mind just noticed that every request have this type of structure,

POST /api/v1/*Any Functionality*/ HTTP/1.1

Authorization: token b910cxxx2ac02f3a8xxxxxxxxxxxxxxxxxxxxxxx

Content-Type: application/json

User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1; )

Host: live.veris.in

Connection: Keep-Alive

Accept-Encoding: gzip

Content-Length: 26

The thing i noticed that there is not like user session thing, it was working on a token ( In Authorization Header) Which is an authorization to API of veris but my mind said "from where did it came from :O like i have not entered any password" And then i said "Oh lol i entered One Time Password",

So what happening here is when we enter number it sends a OTP to it and then after OTP verification it generates a token to authenticate us with API and check is the number match with any account in database, if does exist we'll be logged in that account. Now as i mentioned earlier "No Rate Limit on OTP" Now i can use this to generate OTP for your number and get a token for it by bruteforcing and Bhoom I can use the token to modify info of your account.

POST /api/v1/change_email/ HTTP/1.1

Authorization: token **BRUTEFORCED TOKEN GOES HERE**

Content-Type: application/json

User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1; )

Host: live.veris.in

Connection: Keep-Alive

Accept-Encoding: gzip

Content-Length: 26

{"email":"hacker@hack.com"}

If the number is NOT registered it will give a response like this one (Token Generated)

If the number is registered it will give a response like this one (Token Generated)

Video Proof of Concept

23 comments:

Unknown20 July 2017 at 10:16
Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (hydracards63@gmail.com) for how to get it and it cost,and how to also hack credit cards and send the money to your self,we are located around the world, these cards works on any ATM machine and it works according to it's activation.

………. EXPLANATION OF HOW THESE CARD WORKS……….

You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT #1,000, 2nd VAULT #5,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly… Done.

***NOTE: DON’T EVER MAKE THE MISTAKE OF CLICKING THE “ALL” OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. To get the card email (hydracards63@gmail.com)Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (hydracards63@gmail.com) for how to get it and it cost,and how to also hack credit cards and send the money to your self,we are located around the world, these cards works on any ATM machine and it works according to it's activation.

………. EXPLANATION OF HOW THESE CARD WORKS……….

You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT #1,000, 2nd VAULT #5,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly… Done.

***NOTE: DON’T EVER MAKE THE MISTAKE OF CLICKING THE “ALL” OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. To get the card email (hydracards63@gmail.com)
ReplyDelete
Replies
Dr Purva Pius28 July 2017 at 10:29
Hello Everybody, My name is Mrs Sharon Sim. I live in Singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of S$250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of S$250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:{urgentloan22@gmail.com} Thank you.
ReplyDelete
Replies
Unknown3 August 2017 at 12:09
شركة قمة الدقة للخدمات المنزلية
شركة مكافحة حشرات بالرياض
شركة رش مبيدات بالرياض
شركة عزل خزانات بالدمام
شركة عزل خزانات بالخبر
شركة كشف تسربات المياه بالدمام
شركة كشف تسربات المياه بالخبر
ReplyDelete
Replies
hotelrestaurant11 November 2017 at 00:38
دليل التجهيزات الشامل اكبر دليل يقوم بتوفير تجهيزات فنادق باسرع ما يمكن حيث اننا نتخصص بتوفير كافه معدات سوبر ماركت بارخص الاسعار ونقوم بتركيبها وصيانتها بشكل متميز
تابع موقعنا عبر
http://www.hotel-restaurant-eg.com
ReplyDelete
Replies
anti.insects7@gmail.com11 November 2017 at 01:06
سارعوا بالتعاقد مع شركة مكافحة حشرات في مصر وسنصل اليكم في الحال ونقوم بخدمات ابادة حشرات المنزل باحترافيه وطردها من المكان الي الابد كما نقوم بخدمات فحص دوريه للتأكد من نظافه المكان من اى حشرات
تابع موقعنا عبر
www.anti-insects.com
ReplyDelete
Replies
hair11 November 2017 at 02:28
الاحترافيه لدي اطباء مركز زراعة الشعر في تركيا لاجراء الابحاث العلمية الحديثة ليتمكنوا من زراعة الشعر في تركيا بطريقة طبيه امنه اعتمادا علي افضل انواع العلاج لمنع تساقط الشعر ومعالجة الصلع
تابع موقعنا عبر
www.hairtransplant1.com
ReplyDelete
Replies
lg11 November 2017 at 02:54
يتم استخدام اجهزة رش حديثة تساعد فريق عماله شركة مكافحة حشرات بالخبر في رش المبيدات في الاماكن الضيقه لقتل الحشرات والتخلص منها نهائيا , وتعد ابراج دبي من اكبر الشركات التى تهتم بالاعمال المنزلية فنقوم بتنظيف البيارات باحترافيه ولذلك يفضل الجميع شركة تسليك مجاري بالدمام لخدماتها المميزه واسعارها التى تناسب الجميع
تابع موقعنا للتفاصيل
http://abraj-dubai.net/%D8%B4%D8%B1%D9%83%D8%A7%D8%AA-%D9%85%D9%83%D8%A7%D9%81%D8%AD%D8%A9-%D8%A7%D9%84%D9%86%D9%85%D9%84-%D8%A7%D9%84%D8%A7%D8%A8%D9%8A%D8%B6-%D8%A8%D8%A7%D9%84%D8%AF%D9%85%D8%A7%D9%85/
ReplyDelete
Replies
lgmaintenance11 November 2017 at 05:03
خدمة العملاء في توكيل ال جي تتوافر علي مدار 24 ساعه يوميا وتقوم بالرد علي استفسارات عملائه الكرام في الحال وتقوم بارسال مهندسيين وفنيين صيانة ال جي الي العملاء في المنازل للتمكن من اصلاح وصيانة الاجهزة الكهربائية
للتفاصيل زوروا موقعنا عبر
www.lgmaintenance.com
ReplyDelete
Replies
Unknown24 January 2018 at 02:14
تتمكن من خلال احدي فروع صيانة يونيون اير المتواجدة في مصر من الحصول علي خدمات صيانة تكييفات يونيون اير باسرع ما يمكن وبشكل احترافي حيث اننا ندعم في شركة يونيون اير خدمات التصليح والصيانة للتكييفات والمراوح
تابع موقعنا للتفاصيل
http://unionairemaintenance.com
ReplyDelete
Replies
حجر هاشمي7 October 2019 at 05:26
اهم انواع الحجر الهاشمي من شركة ابو الهول
حجر هاشمي
ReplyDelete
Replies
Unknown13 January 2020 at 11:18
ARE YOU WILLING TO HIRE THE REAL HACKERS TO GET YOUR CYBER PROBLEMS FIXED WITH SWIFT RESPONSE?
AND ARE YOU A VICTIM OF THE BINARY OPTION SCAM?
Solving a problem for which you know there’s an answer is like climbing a mountain with a guide, along a trail someone else has laid.
This post is actually for those who are willing to turn their lives around for the better, either financial-wise, relationship-wise or businesses.
Our primary reason for this development is to ensure that those in need of help don’t get ripped off by forgeries.
Who are the GlobalHackers?
We are group of skilled professional hackers driven by passion to make the internet a safer place and render proficient services to those having cyber problems.
This is a global idea that navigates a newbie to a prominent encounter ( Fully immersed to a degree that the subject in question Is a disorienting worthwhile experience on merits).
Globalhackers has grown and expanded since it formation over the years due to the experience and professionalism of our management and technical staff. Our strength is based on our ability to bring together active cyber security professionals who individually has acquired enormous exposure in the world of HACKING
As part of our corporate goals, providing value added services to meet our client needs and requirements has been our sustaining impetus.
The new development on the Globalhackers platform is to assign to you the right HACKER to deal with your Particular kind of cyber issues depending on the kind of cyber problems you are willing to get fixed.
Here, you would be refer to a legit professional hacker known for massive skills and security abilities.
Skilled and trained on
▪Social media hacks (facebook, twitter, instagram,snapchat)
▪Email hacks
▪phone hacks
▪bitcoin hacks.
▪verified PayPal account hacks
▪database hacks
▪credit card top up
▪university score upgrade
▪money transfer
▪binary option funds recovery. ( recovered $4,372,063 million)
The binary option scam is another problem facing the internet today.
How do you avoid binary option scam and what do you do if you are a victim of the scam.
Be wary of adverts on the internet and mostly on social media promising high returns from binary options trading. The binary option is one of the highly recorded scam on the internet.This are a form of fixed-odds betting.
People investor their hard earned funds in the scammers website and at the end, they wouldn't be able to take their profit plus their investment too. The Globalhacks are breeding effort to put an end to these unbearable swindle scheme taking over the intenet and taking a solid step forward to render solution to those affected by the fleece… we have striven to make tenacious effort to relief those who were victims off their traumatic feeling of loss. ( We Are Here To Help Recover Your Stolen Funds).
Here would be our cybersecurity techniques to retrieving back the victims stolen funds.
●The binary broker website would be traced down using a game over peer to peer network via a bug attack,
The bug network secure an SQL trace on a hiding server, decentralizing it and redirecting the server to a soft plus network. A soft plus network enable varieties of unique web coding languages, Through that process reveals thier hidden networking source, displaying the changed web page made default.
This unveil the hiding information traceable to track down the scammers and their embezzled central fund reserve system.
HOW DO YOU STAY AWAY FROM FALSE BUSINESSES ONLINE?
* Making enquiries for their firm reference number (FRN)
* Contact details and barter their calls on the switchboard number and also
* Never make use of the link in a website or an email from the firm propitiating you for an investment.
For more enquiries and help, contact:
Clarksoncoleman (at) gmail. com
Info.globalhacks (at) gmail. com
globalhacktech (at) protonmail. com
HackerOne©️LLC 2030.
ReplyDelete
Replies
Glen Maxy20 December 2020 at 05:59
Part-Time Degree in singapore is planned explicitly for understudies who want to work in avionics related vocations. This specialized tasks program gives an occasion to those understudies new to flying to obtain avionics explicit information through flight related coursework.
ReplyDelete
Replies
Assignment Help1 April 2021 at 22:51
We are the team of Assignment Helper experts and we are providing the best assignment help service to aspirants across the world. If you need assignment writing service at cheap price, then reach us.
ReplyDelete
Replies
Assignment Help Pro18 August 2021 at 02:38
We have done many assignments and projects but we will surely agree with the fact that technology helps us to get a solid assignment and knowledge. It is technically a very necessary and important thing that we always imbibe technology to complete any assignment which we want to complete. Assignment help or assignment helpers also help in working on important goals for a purposeful and complete work structure.

ReplyDelete
Replies
Anonymous30 March 2022 at 04:02
Veris.In Account Takeover - Yet Another Infosec Blog >>>>> Download Now

>>>>> Download Full

Veris.In Account Takeover - Yet Another Infosec Blog >>>>> Download LINK

>>>>> Download Now

Veris.In Account Takeover - Yet Another Infosec Blog >>>>> Download Full

>>>>> Download LINK
ReplyDelete
Replies
SourceEssay28 August 2022 at 22:55
online ghost writer in quebec
ReplyDelete
Replies
Tools & Tutorials27 October 2022 at 19:31
Guy's Whats-up !

Do you wanna learn Hacking/Spamming/Carding ?
Do you wanna start your earning from home ?

Here I'm..
I'm offering complete packages, for Learning:
Hacking , Spamming, Carding, Spying etc
*Legit & Valid Tools & tutorials Stuff.

Contact 24/7
Tele-gram = @leadsupplier
Skype/Wickr = peeterhacks
I'C'Q = 752 822 040

All Type of Tools Available
MAILERS
SENDERS
KEY LOGGERS
KALI LINUX FULL
BTC CRACKER/FLASHER
BOMBER
VIRUSES
SHELLS
BRUTES
CPANELS
HACKING TUTS & STUFF
CARDING METHODS FOR CASHOUT & SPAMMING
FB/WA HACK TIPS & TRICKS
ETC

Fresh Fullz are available too
CC FULLZ
SSN DOB DL FULLZ (BULK QTY)
HIGH CS FULLZ (700+)
PREMIUM FULLZ
SBA/PUA/UI FILLING FULLZ
EMPLOYMENT FULLZ
BUSINESS FULLZ

Get In Touch :
Skype/Wickr = peeterhacks
I'C'Q = 752 822 040
Tele-gram = @killhacks

Fresh Spammed & Verified
Invalid stuff will be replace
Bulk order preferable
ReplyDelete
Replies
Maxsmith11 December 2022 at 23:21
Wel
ReplyDelete
Replies
marry28 December 2022 at 03:14
I really appreciate you providing this fantastic blog. incredibly motivating and beneficial. I hope you share more of your thoughts in the future. It's crucial to press the spacebar so that the game's spacebar counter can assist you as you compete with your pals. Visit this website spacebar click counter.
ReplyDelete
Replies