Account Takeover via Weak OTP

I seem to keep writing ATO posts here. I don’t mind. These are cool. Some are so easily discovered that it baffles me how persistent insecurity remains on the web.

This one was among the easy ones. Looking over the authentication, my client provided its users the option to login via email.

1. First, I wanted to inspect the entire flow. I entered my email and clicked on submit. At this point, two things happened:

• I received an email containing the OTP.
• I was redirected to a page to enter the OTP received via email.

Yes, there is at least another issue here: user enumeration (but I’m not going to talk about it).

2. The OTP received in my email was time-sensitive (it expired in ~5 minutes). However, it was only 4 digits long.

3. The endpoint confirming the OTP was not protected against bruteforcing attacks. Thus, even the most basic Intruder setup beat it in less than 5 minutes:

There is not much of a moral to this story other than trying to implement weak security mechanisms to an insecure-by-design feature is like trying to save a house from burning using a glass of water.