What is Account Takeover?

Account takeover is a vulnerability in which attacker can access you online account like google, twitter, paypal etc. Attacker do these things with the help of some vulnerability like session hijacking, cross site scripting, cross site request forgery, brute force, weak authentication, poor OTP implementation etc. By this Vulnerability attacker will get the unauthorized access to online personal or business accounts using stolen credentials. Once the attacker gains access to the targeted account, they can transfer funds, use stored credit cards, deplete gift cards and loyalty points, redeem airline miles, submit fraudulent credit applications, plant ransomware or other malware, steal corporate data and perform acts of cyberterrorism.

How do Account Takeover?

There are different methods to do Account Takeover on different situations. Hackers may employ a variety of techniques to gain access to the account of an normal user. If an attacker has a list of usernames for a targeted site, but not the passwords, they may employ a technique called password spraying in which they try a common default password, such as “Password1,” against a large number of usernames.

If the attacker has a valid username and password combination for a targeted site, they may try to scale the attack to take over the user’s accounts on different sites. This technique is called credential stuffing. Again, the attacker will employ the brute force of bot automation to quickly try the credentials across e-commerce, banking, travel and other popular websites in the hopes that some users have reused the same usernames and passwords for multiple sites.

As you know this article is about hacking account by phone number. This is about one special case in which I hacked account by call number spoofing. Yes call Spoofing.

Time to go

How I hacked account with Phone Number?

Once I’m just searching for a bug bounty program which give me Hall Of Fame ????. So I used google dork

site:*.in intext:"hall of fame"

and got my target which is India’s famous customer Healthcare company. So i just started testing on it and find a login page on their main domain.

Enter mobile number

Then think Why not to check for OTP bypass? But I doesn’t found any thing. Then I found there is option to login just by giving miss call to company’s servers number.

Miss call to login

ok now comes the interesting part of this article. So, I think why not to check for the vulnerability caller ID spoofing. Know you are thinking that it is impossible but it is possible. To perform a caller ID spoofing we just need some tools and services like VoIP or just your brain and Android ????.

I think everyone know about caller ID spoofing but for people’s how know about that so,

What is Caller ID Spoofing?

Caller ID Spoofing is a method by which attacker or hacker manipulate the caller name or number on the receiver device. This can lead to a caller ID display showing a phone number different from that of the telephone from which the call was placed.

How Missed Call To Login works?

  1. User dials the number which is displayed on login page.
  2. Operator send the Call details to server.
  3. Response is forwarded to the callback url.
  4. User is authenticated.
  5. Now user can access there account and perform some specific tasks.
Miss call to this number

so I make a call to the number which is displayed on the login page and I am successfully logged in????.

Logged in

Then I quickly reported this Vulnerability to the company’s Responsible Disclosure Program. As I said previously this Responsible Disclosure Program has Hall of Fame for Researchers who report the vulnerability. I also got this????

Privious article : https://bepractical.tech/price-manipulation-vulnerability-on-fitness-website/

You can visit my profile and follow me on :

Linkedin : https://www.linkedin.com/in/aakash-patel-6250/

Twitter https://twitter.com/AAKASH_6250

Youtube : https://youtube.com/channel/UCOjZF3dnFCXhZ4yUtNc7DHA