Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

One-time-password functionality (OTP) is commonly used for 2FA. A common form of this is to send a code via an SMS message to the user then get this verified.

The OTP had several fields. The two of note are the phone_number and the country_isd. The phone number is obvious but the country_isd is not; it is simply the prefix for the country of the phone. For instance, the US is '+1'.

Although the phone number had proper verification on the OTP being sent, the country_isd did not. Since this was prepended to the phone number, we could edit the phone number that was actually being used with the SMS service!

Initially, I thought to add a new phone number then put a '#' to act as a comment. However, the author had a much cleverer idea. The SMS provider accepted messages that were comma delimited to send the message to multiple numbers!

By setting the country_isd to a full phone then adding a comma, another number can be added! For instance, if the phone number was 9999999999, and the validated number was 8888888888 the new number would be 9999999999,8888888888. Since the number is sent to both numbers, the attacker has a valid OTP.

This is an attack that required a lack of input validation and a decent understanding of the backend service. Sometimes, a misunderstanding of the full workflow of the service can lead to devastating bugs, such as this one.