Hey fellow hackers and bug hunters,
As the same ,I can’t disclose the target name.So the target called as target.com.
I signed up and went to the account settings.There i saw the mobile number needs to verify.
I thought that i can able to bypass the OTP verification.But I can’t able to bypass that verification.But the post request for the OTP sending functionality is something phissy.Because in the post request one param is directly reflected in the sms
Content-Disposition: form-data; name=”domain_name”subdom.target.in
— — — — — — — — — — — — — — -86319185638644134231525746139 —
So, I thought what if i changed this and resend it and i changed it to IamEvil !!! It reflects.
So now I am going to change the content to Enter the OTP in evil.com and it leads to phishing attack to get the OTP.
Thank You for reading this writeup!!
Follow me for more bug hunting writeup’s
Follow me on Instagram : https://www.instagram.com/ram_0x_infosec/
Connect with me on Linkedin : https://www.linkedin.com/in/ram0xinfosec/
How I was able to send SMS from target and get their OTP. was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and
Read the article