code

Account Takeover via OTP Mechanism

Written by Sagiv Michael on

Account Takeover via OTP Mechanism

Written by Sagiv Michael on


Introduction

During a penetration test of a client’s authentication mechanisms, we uncovered a critical vulnerability that can lead to a complete account takeover of any user within the system. This finding reveals severe flaws in implementing the OTP (One-Time Password) mechanism, allowing adversaries to authenticate as any existing user in the system. The vulnerability lies in the OTP generation and validation process, where the correct OTP code is actually returned in the API’s response.

An adversary can simply read the API response to obtain the valid OTP code upon initiating an authentication request. With this OTP, the adversary can then authenticate as any user. This critical security flaw compromises the affected users’ personal and sensitive information and poses a significant threat to the integrity and security of the client’s system. Immediate action is required to rectify this vulnerability to prevent potential exploitation and ensure the protection of user accounts.

Vulnerability Details

The vulnerability exploits how the client’s system handles the OTP verification and the information it discloses during authentication. Here’s a step-by-step breakdown of how we can manage to reproduce the issue and exploit it:

Step 1: Discovering Valid Users

The system’s authentication mechanism requires an email address and a phone number for successful authentication. If one of the details is incorrect, the authentication fails.

Using OSINT (Open-Source Intelligence) techniques, we discovered the CEO’s email address and phone number. This information was obtained from publicly available sources and could be verified by the server via a specific API endpoint when supplying the targeted email address.

The endpoint responds with the oktaDiscoveryUri parameter with the null value when the supplied email address does not exist in the system and with a valid Okta link when it does.

Validating a Non-Existing Email Address in The System
CEO’s Email Address Found to be Valid in The System

Step 2: Initiating the Authentication Process

Once the CEO’s email was identified, we initiated the authentication process, which triggered the system to send a four-digit OTP code to the user’s registered phone number.

Authenticating to The System with The Obtained Information

Step 3: Exploiting OTP Verification

Once, we attempted to authenticate with an intentionally incorrect OTP code, which resulted in a response revealing sensitive information, including the correct OTP sent to the user’s (CEO) mobile phone.

The API Response with the Correct OTP Code

Step 4: Authenticating as the User

Using the correct OTP code obtained from the previous step, we authenticated as the targeted user and received a valid user token, granting full access to the CEO’s account.

Submitting the OTP Code and Receiving a Valid User Token

Once accessing to the account, viewing and modifying personal information, including sensitive data such as email communications, confidential documents, and financial records was possible. Additionally, we were able to manipulate account settings, review past transactions, and potentially exploit the account for further unauthorized activities.

Mitigation

If you have encountered any of the above scenarios, please follow the instructions provided by Clear Gate for immediate mitigation to prevent Account Takeover attacks.

Limit Information Disclosure:

  • Limit Information Disclosure – Refrain from returning excessive information during the authentication process. Specifically, do not include the valid OTP code or any other sensitive information in the response.
  • Uniform Error Responses – Implement a consistent error message for authentication attempts regardless of the user’s existence. For instance, always return a generic “OK” message to prevent revealing whether a user exists or not.

Conclusion

This critical finding underscores the importance of secure implementation practices in authentication mechanisms. By promptly addressing the identified issues, the client can significantly enhance the security of their system and protect their users from potential account takeovers.

Organizations should prioritize cyber security risk assessments and penetration tests to mitigate risks in authentication deployments, which have become increasingly popular among companies developing SaaS products. Clear Gate, a trusted cybersecurity provider, offers in-depth manual penetration tests to help organizations strengthen their authentication mechanism security and protect valuable data from potential threats.

References