This blog touches base on various vulnerabilities uncovered during a pentest that was performed shortly before the app was moved to production. While not covering all the issues, we will try and cover the major findings that were uncovered and the various mitigation factors. The HOST name is REDACTED throughout this report.
Account Takeover [Critical]Â
By exploiting this vulnerability an adversary can take over all of the accounts in the application provided that we have info on the mobile number or email address of the user. Let’s dive deep into the exploitation:
- For the endpoint redacted.com/api/forgot_password_save , craft a payload that will allow us to change the password of any user account.
Have a look at the screenshot below for reference:
From the above screenshot, it is noted that we were able to change password for any user account by passing the updated password and the mobile number. Note the lack of authorization tokens in the request.
Mitigation:
- We have advised the client to implement strict authorization mechanisms across the application in state change functions so that no user can perform actions on behalf of other users.
- It was also recommended to implement strict validation of session tokens so that each state change functions are linked to those specified sessions of the user account and cannot be made outside of the user accounts.
OTP Leak leading to account takeover/password reset
Even though we were able to takeover accounts using the vulnerability explained earlier, there are vulnerabilities in the OTP Validation that can also lead to account takeover or feature bypass.
Have a look at the screenshot below for reference:
Once a password reset is initiated, OTP was found to be leaking in the response that can be used by the adversary to reset password/perform signup function, etc. It was also possible to manipulate this OTP to any other value and use that value instead if that is something that we are looking for.
Mitigation:
- It was recommended to remove the OTP from the response body.
- It was also advised to remove the client-side validation of the OTP so that by changing the status codes, future attacks can be prevented.
Price Manipulation Â
In the redacted application, there is an option to purchase access to various classes and other redacted functionalities by making certain payments. These payments unlock access to features which are paywalled. However, it was possible to manipulate these requests to purchase these at negligible amount.
Have a look at the screenshot below for reference:
From the image, it is clear that a payment of 50$ is required to unlock a feature of the application, however it was possible to change the value to 1$ to unlock the paywalled feature.
Have a look at the screenshot below:
We were able to manipulate the 50$ to 1$ and successfully pay for the feature.
This image shows that we were able to purchase the feature for 1$. The same has been reflected on the page.
ConclusionÂ
This penetration test identified critical vulnerabilities in the mobile application that could have been exploited by attackers to take over user accounts, bypass security measures, and gain unauthorized access to premium features.
The identified vulnerabilities highlight the importance of implementing robust security practices throughout the development lifecycle. By following the recommended mitigations, such as strict authorization mechanisms, stronger OTP handling, and secure payment processing, the client can significantly improve the security posture of their application and protect their users from potential attacks.
