Hey friends,
Hope you all are safe and good.
Don’t know why suddenly I was getting more requests in my matrimonial profile after I got married. I didn’t want to delete my account since browsing through the profiles of beautiful girls seems really interesting (disclaimer : Don’t try this at home when your wife is nearby).
One day , I was very tired after the work (I work as a developer). As usual, our previous day’s bug fix release introduced some interesting new bugs in our application and I had to do some urgent data supports to fix it. I decided to learn some new topics before I sleep as our manager had asked me to gain knowledge in some of the new technologies. So I opened YouTube and started learning. And only at 2:30 am in the morning I realized that I ended up in watching a video titled “Hey!Look my red cat is peeing on my bald head”. Sh**t!! I started watching a technology video and how the hell I ended up here ^_^ .
Anyway, I checked my email and found some notifications from the matrimony website. I used to check profiles using their android app so I forgot the password. When I clicked on the forgot password option, the website asked me to enter the OTP received in my registered mobile number. Good! I am big fan of OTP brute-forcing. I decided to give a try. I entered wrong OTP and resent the request more than 20 times. I noticed that there is no limit in trying the invalid OTP numbers. So I opened the Burp Suite and forwarded the request to the Burp intruder. Using Burp intruder you can mark an input and provide a set of payloads. Once you start the attack, the burp will send continuous request to the endpoint by replacing the payloads in the marked input in each request. Since the OTP is 6 digit, I set the payload as 100000 to 999999. I started the attack and after few minutes I started getting responses with 500(internal server server) as the code. I paused the burp and tried accessing the website in the browser. I felt like running away when I saw that the website is down. I started panicking. I suddenly turned off my laptop and went to sleep. The target doesn’t have a bug bounty program so as you know it is illegal to do these kind of stuffs. I opened their android application but that also was not working. I started imagining me getting arrested by the police and every one is laughing because I hacked a matrimonial website. Sh*t I should have hacked some bank websites instead :(. This is why intelligent people says ‘never go behind beautiful girls’. I decided I will delete my matrimonial account once the server is up. I slept somehow.
When I wake up in the morning I checked the website first. Wooh!! It is working now. Everything is back to normal. There are no news of an international cyber criminal being arrested for hacking the matrimonial website.
All good, I am a brave person and today is Saturday. So I decided to check the attack again. This time I decided to reduce the rate of requests/seconds . I respect the server. But instead of starting the payload from ‘100000’ I accidentally gave starting payload as just 0. So the payload range is from 0 to 999999. When attack was started I found something interesting. The first request with OTP value as 0 have given some different response. I was surprised when I checked the response. The response contained a link with my encrypted password!!! So if I click on that link I will be redirect to my account without any trouble. I knew my friend who was using the same application. I entered his mobile number and 0 as otp in the forgot password request. Voila!! I received the link with his encrypted password. So I can hack into anyone’s account without knowing the password. But I need to know their mobile number right? After checking the request again I found that I can provide either mobile number/matrimonyid/ email in the request.The request was as follows
So I can log into any account just by giving their mobile number/matrimonyID/email-address in the ID field and 0 in loginOTP field.
I immediately reported the issue to their customer support. I know there is no bug bounty program for them but as this is a high impact bug I thought it should be reported. Their customer support team didn’t understand the impact first. Later I got a chance to contact one of their technical manager. They fixed bug immediately. Even though they don’t have a official bug bounty program, considering the impact, they rewarded me with 10000 rs worth amazon gift card.