Lack of Authentication on the OTP Endpoint enables an attacker to brute force the Correct OTP

Feature: Monthly Group Savings (Rotating Payout) with OTP Security

This feature allows a group of users to join a monthly savings cycle, where each member contributes a fixed amount, and one member receives the total pooled amount every month in rotation.

To book a spot in the cycle or to withdraw from it, the user must enter a One-Time Password (OTP).

  • The OTP is sent to the user’s registered mobile number.

  • The OTP is valid for 10 minutes only to ensure security and prevent misuse.

This ensures that participation and withdrawals are both secure, verified, and time-bound.

(Affected) First API Endpoint :

The OTP generation mechanism was found to be vulnerable due to a combination of Broken Authentication and weak rate-limiting controls.

/v1/otp/generate

  • Requests to /v1/otp/generate can be sent without a valid JWT, yet still succeed. This indicates Broken Authentication, as the endpoint does not strictly enforce token validation.

(Affected) Second API Endpoint :

/v1/REDECATED-subsriber/userId

  • Each user can issue up to 3 UUIDs, and each UUID can generate 3 different OTPs, resulting in 9 OTP attempts per user.

  • OTP values are only 4 digits long (10,000 possible combinations: 0000–9999).

  • To exhaust all possibilities, only about 1,111 user IDs are required (9999 / 9 = ~1111).

Chained Exploit Scenario:

  1. The attacker removes the JWT header and sends requests with only the hardcoded API key and user ID.

    1. The request is still processed successfully → Broken Authentication.

  2. The attacker automates OTP generation across multiple user IDs.

  3. Since rate-limiting is enforced only for UUID reuse, not across different UUID/OTP combinations, the attacker can bypass restrictions.

  4. By writing a small Python script to chain requests:

    • For each user ID: generate 3 UUIDs (Restrictions to do Normal OTP BruteForce).

    • For each UUID: request 3 OTPs (Restrictions to do Normal OTP BruteForce).

    • This yields 9 unique OTPs per user ID under current restrictions.

Successfully, I was able to brute the OTP under the existing Restrictions

Impact:

  • OTP brute force is feasible with moderate resources.

  • Attackers can enumerate valid OTPs, gain unauthorized access to user accounts, and compromise sensitive operations.

  • The lack of strong authentication and comprehensive rate-limiting significantly weakens backend protections.

Risk Summary: This vulnerability arises from the combination of:

  • Broken Authentication (JWT not enforced).

  • Insufficient Rate-Limiting (restrictions only apply to UUID reuse).

Together, these flaws allow attackers to bypass OTP security controls and systematically brute force OTPs.

PreviousOTP bypassesNextTryHackMe

Last updated