Back
Critical · CVSS 9.6CSRF

[EN] One-Click Account Takeover via OTP Bypass and CSRF

pyus3r
pyus3r
March 1, 2026
0
€56

Vulnerability Summary

This writeup details a critical business logic vulnerability in the email change flow of a platform. By combining an OTP Bypass and a CSRF, it was possible to arbitrarily replace any user's email address with a single click, resulting in a complete Account Takeover (ATO).

Note: All data exposing the real identity of the company or the endpoints has been replaced with fictional environments and values (api.example.com) to protect confidentiality.

This writeup details a critical business logic vulnerability in the email change flow of a platform. By combining an OTP Bypass and a CSRF, it was possible to arbitrarily replace any user's email address with a single click, resulting in a complete Account Takeover (ATO).

Vulnerability Analysis

The flaw resided in how the server handled the email change request, which required validation through an OTP code sent to the new address. The responsible endpoint was:

https://api.example.com/user/userAction!modifyEmail.action?email=[NEW_EMAIL]&checkcode=[OTP]

Exploitation was possible due to two concurrent critical deficiencies in this endpoint:

  1. Global OTP Reuse (OTP Bypass): The server mathematically verified that the numeric code (checkcode) was valid for the provided email (email), but it did not validate which user session or which functionality that code belonged to. This allowed an attacker to generate a valid OTP using their own neutral flow and legitimately consume it in another account's session.
  2. Cross-Site Request Forgery (CSRF): The endpoint allowed the critical action (changing the account email) to be performed via an HTTP GET request, passing parameters in plaintext through the URL. Additionally, it lacked validation for Anti-CSRF tokens or headers (such as Origin/Referer) that certified the victim's intent.

Exploitation Flow

The attack chain proceeded step-by-step as follows:

  1. OTP Capture: The attacker requests a verification code to their own email address (attacker@evil.com) from a generic panel (such as new account registration), obtaining a valid OTP sent to their inbox (e.g., 123456).
  2. CSRF Vector Construction: The attacker crafts their payload by building a malicious URL pointing to the email change endpoint, injecting their email and the freshly obtained OTP code: 
    https://api.example.com/user/userAction!modifyEmail.action?email=attacker@evil.com&checkcode=123456

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign InRegister

Related Writeups

pyus3rpyus3r

[ES] One-Click Account Takeover vía OTP Bypass y CSRF

Este writeup detalla una vulnerabilidad crítica de lógica de negocio en el flujo de cambio de correo electrónico de una plataforma. Mediante la combinación de un OTP Bypass y un CSRF, fue posible reemplazar el correo de cualquier usuario de forma arbitraria con un solo clic, logrando así un Account Takeover (ATO) completo.

Read Writeup →

Discussion

No comments yet. Be the first to share your thoughts.

Log in to join the discussion.

Sign In