Hi everyone , after a long time I am doing a write-up on GitHub recon which leads to full account takeover . Few days ago I got a private invite where the in-scope target is only the mobile app.
As its a private program we will take it as Example App . So I gone through all endpoint and functionality of the application , i didn't find anything critical. So I thought to give a try to their GitHub.
If you want to learn how to do GitHub recon there is a detailed tutorial by Th3G3nt3lman
So i started my search with the keyword passwd , i got 3-5 result
after going through all file i got a valid password in file called config.properties
So that app using OTP based authentication and i got the credential for the third party service , which they are using for the SMS.
Using those credential I logged into the SMS provider portal , there is a section call SMS delivery where all SMS delivery report are stored along with the Phone number and the text sent to that number.
So now i have all registered users mobile number and OTP delivery report along with OTP
So i just request for OTP and from the delivery report got the valid OTP and loggedin to any user's account 😎
Hope you guys like it , share your feedback in commen.