Today I would like to share how I was able to bypass OTP (One Time Password) login with a simple brute force attack on India’s biggest travel service provider. OTP is treated as an additional measure for security termed as 2FA. For those who don't know about, what is 2FA?

Two-factor authentication (2FA), sometimes referred to as two-step verification or dual factor authentication, is a security process in which the user provides two different authentication factors to verify themselves to better protect both the user’s credentials and the resources the user can access.

Generally, OTP is a combination of 4 digits starting from 0000 to 9999. If we count there 10,000 combinations. In the age of powerful computer 10,000 combinations take only a few minutes to process. If OTP verification is not properly managed, anyone can bypass this with a simple brute force.

Why I was able to bypass the 2FA?

No rate limiting on an unsuccessful attempt

No new OTP policy on X unsuccessful attempt

Few prerequisites:

Web Browser Burp Suite

Now let's see how I was able to bypass the 2FA with burp suite:-

Step 01: Logged into the website using the mobile number and entered the wrong OTP to intercept on burp suite

Pannel to enter the OTP received on the Mobile Number

Intercept the Verify OTP API call on Burp Suite

Step 02: Sending the verifyOTP API call to the intruder.

Image showing the Dialogue box to send intruder.

Intruder Screen Burp Suite

Step 03: Selecting the OTP placeholder and add it for simple brute force.

Intruder screen with OTP placeholder selected for brute force

Step 04: Select the Payload tab, changed the payload type to Numbers and change the payload options as desired and clicked on the attack.

Payload Screen: For setting payload desired options

Brute Force In Progress

Step 05: As the brute force was in progress I could see length for one of the OTP value is changed from 617 to 2250. Lets check:

OTP Response

Step 06: Boom !!! I was able to get the login token and was able to log in.

Details of successful login

Hence, The simple brute force was successful.