I was invited to security test an e-commerce website. Mobile phone number verification is mandatory on the website and customers are not able to confirm the orders without entering correct mobile number and verifying the same. This prevents attackers from creating fake orders with random numbers and costing the company with missed deliveries. But the verification could have been bypassed with below method.
Step 1 — Make account on https://www.redacted.com/ without verifying the mobile number( Any random mobile number ) and try to make a order, You will get an error and application forces to verify the mobile number before proceeding and exits to the main page
Step 2 — With the same account login to https://m.redacted.com/ . Due to different backend code in https://m.redacted.com/ and https://www.redacted.com/ The verification is bypassed when one logins to mobile and the mobile number is marked as verified on the website.
Step 3 — Now going to https://www.redacted.com and trying to make an order. The mobile verification check does not come and one is able to successfully order an item with cash on delivery
This report was accepted by the client as a medium severity vulnerability and fixed
Takeaways
- Check process flows ( Verification, Purchase etc ) on different versions on the website ( eg. Mobile, Desktop ) as the code could be different between them.
