Email and Phone Number Verification Bypass Worth $$$

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Hello guys! My name is Tuhin Bose (@tuhin1729). I am currently working as a Chief Technology Officer at Virtual Cyber Labs. In this write-up, I am going to share one of my findings which helped me to earn $$$.

So without wasting time, let’s start:

Introduction:

Basically the target was an email marketing website let’s call it redacted.com. I quickly tried to create an account there. While creating an account, I noticed that they verifies both email & phone number of the user using OTP. So I decided to try OTP bypass. I submitted the OTP and captured the request using burp. In both cases (email & phone number), the request looks like this:

tuhin1729My Assumption:

The OTP is associated with the requestId. When we forward the request, the server will verify whether the value of “response” is same for the corresponding “requestId” and if it matches then it’ll redirect to phone number verification. So if we copy the request body and drop the request then try using the body while generating an

Read the article