- Cybersecurity Threat – New Method Allows Attackers to Hack Through an Email Address - August 27, 2023
- SiegedSec Reveals NATO’s Secrets - August 27, 2023
- China’s Cyber War Mafia vs. Australia - August 27, 2023
Hackers resulted in a zero-click account takeover on redacted.com through an email address of a user. Redacted.com‘s login process requires the user’s email address. A 4-digit OTP (One-Time Password) is produced once the user’s email is entered and emailed to that address.
The OTP must be verified by the user within 10 minutes, and it loses validity after three unsuccessful tries. The user must successfully complete a captcha in order to obtain a new OTP, and the system only allows for five requests to generate new OTPs.
It’s highly unlikely to guess the correct 4-digit OTP that expires after 10 minutes, especially with only 3 tries. The system’s vulnerability to only permitting five fresh OTP requests, however, might be exploited by hackers, potentially compelling the program to create lots of OTPs. This can result in an unauthorized user accessing the user’s account.
Hackers must also get past the captcha validation requirement before they can create OTPs. This implies that before attempting to produce any new OTPs, they must figure out how to get around the captcha. This is the following request:
Based on the data of Req-Id and Device-Id, this API creates captcha codes automatically. However, rate restrictions were also applied to this API. Further research indicated that we could get around rate restriction and automatically produce an infinite number of captcha codes without requiring user input by providing various values in the Req-Id and Device-Id headers.
The next action is to ask for a fresh OTP. The following request is made:
The rate limiting on the OTP generation was bypassed by using different values for Req-Id and Device-Id. However, there is a limitation that after making five requests, the backend system ceases OTP generation for a specific email for 24 hours. This restriction was circumvented by manipulating the email addresses with a mix of upper and lower case letters, allowing for multiple sets of five OTP requests.
This method enabled the generation of a significant number of OTPs needed for the attack. By continuously using the verify OTP API, the hackers were able to force the application to generate OTPs until they reached the desired code, such as 1337.
The entire process was automated and took around 10-15 minutes (sometimes as little as 2 minutes) for the backend to generate the desired OTP of 1337, providing complete control over the account. The attack’s only limitation is the requirement for the email address to have a sufficient number of letters to create a large list of variations. However, this is typically not an issue as most email addresses meet this requirement.
For example, if the email is “[email protected],” it would be practically impossible to generate a significant number of unique email variations, making it challenging to obtain an OTP of choice in such cases.
The login functionality on redacted.com had vulnerabilities that allowed for a zero-click account takeover. By exploiting weaknesses in OTP generation, rate limiting, and captcha validation, whackerse gained unauthorized access.
These flaws highlight the importance of continually strengthening authentication mechanisms with robust safeguards, improved rate limiting, captcha validation, and OTP generation algorithms.