Account Takeover via OTP Mechanism
Written by Sagiv Michael, Penetration Tester at Clear Gate Cyber Security and Research.
This article is also available on our blog:
Introduction
During a penetration test of a client’s authentication mechanisms, we uncovered a critical vulnerability that can lead to a complete account takeover of any user within the system. This finding reveals severe flaws in implementing the OTP (One-Time Password) mechanism, allowing adversaries to authenticate as any existing user in the system. The vulnerability lies in the OTP generation and validation process, where the correct OTP code is actually returned in the API’s response.
An adversary can simply read the API response to obtain the valid OTP code upon initiating an authentication request. With this OTP, the adversary can then authenticate as any user. This critical security flaw compromises the affected users’ personal and sensitive information and poses a significant threat to the integrity and security of the client’s system. Immediate action is required to rectify this vulnerability to prevent potential exploitation and ensure the protection of user accounts.
Vulnerability Details
The vulnerability exploits how the client’s system handles the OTP verification and the information it discloses during authentication. Here’s a step-by-step breakdown of how we can manage to reproduce the issue and exploit it:
Step 1: Discovering Valid Users
The system’s authentication mechanism requires an email address and a phone number for successful authentication. If one of the details is incorrect, the authentication fails.
Using OSINT (Open-Source Intelligence) techniques, we discovered the CEO’s email address and phone number. This information was obtained from publicly available sources and could be verified by the server via a specific API endpoint when supplying the targeted email address.
The endpoint responds with the oktaDiscoveryUri parameter with the null value when the supplied email address does not exist in the system and with a valid Okta link when it does.
Step 2: Initiating the Authentication Process
Once the CEO’s email was identified, we initiated the authentication process, which triggered the system to send a four-digit OTP code to the user’s registered phone number.
Recommended by LinkedIn
Step 3: Exploiting OTP Verification
Once, we attempted to authenticate with an intentionally incorrect OTP code, which resulted in a response revealing sensitive information, including the correct OTP sent to the user’s (CEO) mobile phone.
Step 4: Authenticating as the User
Using the correct OTP code obtained from the previous step, we authenticated as the targeted user and received a valid user token, granting full access to the CEO’s account.
Once accessing to the account, viewing and modifying personal information, including sensitive data such as email communications, confidential documents, and financial records was possible. Additionally, we were able to manipulate account settings, review past transactions, and potentially exploit the account for further unauthorized activities.
Mitigation
If you have encountered any of the above scenarios, please follow the instructions provided by Clear Gate for immediate mitigation to prevent Account Takeover attacks.
Limit Information Disclosure:
Conclusion
This critical finding underscores the importance of secure implementation practices in authentication mechanisms. By promptly addressing the identified issues, the client can significantly enhance the security of their system and protect their users from potential account takeovers.
Organizations should prioritize cyber security risk assessments and penetration tests to mitigate risks in authentication deployments, which have become increasingly popular among companies developing SaaS products. Clear Gate, a trusted cybersecurity provider, offers in-depth manual penetration tests to help organizations strengthen their authentication mechanism security and protect valuable data from potential threats.