Default OTP: Account Takeover

Summary

Attacker can login into any account by entering their phone number and confirmation OTP 1234. The target was not in production, 1234 must be hardcoded or used as a default OTP.

Reproduction Steps

1. Go to foo.bar.target.com and click on Login.
2. Enter your phone number.
3. Enter confirmation OTP: 1234.
4. Login successful.

Timeline

1. 19 September 2022 - Reported via Hackerone
2. 21 September 2022 - Status changed to PPR
3. 23 September 2022 - Triaged
4. 27 September 2022 - Rewarded
5. 3 October 2022 - Resolved