About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Account Takeover via SMS Authentication Flow- 750

YetAnotherHacker - HackerOnePosted 4 Years Ago
  • Zenly is a live map of friends and family. It is a part of Snap Inc.
  • During the authentication flow, an SMS message is sent to the user to validate the session. The flow is as follows:
    1. SessionCreate is called with the mobile phone number of a user.
    2. A session for the user is created with a session token being returned. Not operations are allowed until the verification on the SMS message is complete.
    3. SMS message is sent with the verification code.
    4. Call SessionVerify with the session token and the verification code. Now, the session token of the user becomes valid and they can login as normal.
  • When calling SessionCreate, the same session token is returned now matter how many times this is called. Although this sounds like a reasonable feature for storage reasons, this has catastrophic consequences.
  • An attacker can call SessionCreate with the users phone number. Then, wait for the legitimate user to validate the SMS message. Once the user has validated the SMS message, the session token is valid. Since the session token was the same between the two users, the attacker now has unrestricted access to the users account.
  • To fix this issue, the token should be unique from SessionCreate and each call should generate an SMS code. Since the code is different between two calls, this attack no longer works. Overall, I really enjoyed the vulnerability since it requires a deep knowledge of how the system works.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed