Lets name the company FoodieExpress, which serves fast-food in their restaurants, allows take-away of food and does home-delivery of food (when ordered over call, mobile app or website).

For login to their website/mobile-app, there is only one method — OTP login. You have to enter your registered mobile number, you will receive and OTP and enter it on the screen — you will be logged in. In case the number is not registered, OTP will be sent to the number and you have to provide your details (name, email-id, delivery address, etc).

The issue was here — you can bypass this OTP and login into anybody’s account. If the user is not registered then you can create their account without any consent.

For trying one happy/valid scenario, let’s order some food from FoodieExpress. My number 1234512345 is already registered with them.

When I click on ‘Sign In / Register’ button on FoodieExpress website’s Homepage, it takes me to the Login page (https://foodieexpress.co.in/login). Page asks me to provide my mobile number, where I provide 1234512345 as my number. I receive an OTP on my phone, lets say 9876. I provide OTP 0000 on the next page — it says ‘Invalid OTP!’ Correct OTP 9876 is provided, and it allows me to login. After login, I am able to go through my profile to see my personal details, saved addresses, order history, track and existing order, etc.

Something technical, what happens at the back-end in the above scenario:

An API call, named ‘api/cart/validate-cust-otp‘ is made to the server foodieexpress.co.on:443, which contains the OTP entered by the user. For example,

{

"otp": "9876"

}

Server checks the OTP, either it is correct or incorrect and responds to the browser accordingly. The HTTP response can be either of these 2 –

(a) If the OTP is incorrect

{"messageCode": 1015,"Message":"OTP is Invalid or Expired ","ErrorCode": 0}

(b) If the OTP is correct

{"messageCode": 1001,"Message":"Successful","ErrorCode":0}

The browser proceeds on the basis of this response from server. If we make changes to this response message by using a Proxy tool (e.g. Burp suite), the browser will be unaware of that and may allow us to proceed considering the modified response from proxy.

Both these above responses are used to exploit the security issue.