Attacker can login into any account by entering their phone number and confirmation OTP 1234. The target was not in production, 1234 must be hardcoded or used as a default OTP.
- Go to
foo.bar.target.comand click on Login.
- Enter your phone number.
- Enter confirmation OTP: 1234.
- Login successful.
- 19 September 2022 - Reported via Hackerone
- 21 September 2022 - Status changed to PPR
- 23 September 2022 - Triaged
- 27 September 2022 - Rewarded
- 3 October 2022 - Resolved