Let’s Flow into the report…
Initial Exploration:
- Understand the application’s functionality and identify features.
- Explored the booking app to find features, including registration and login mechanisms.
- Observed that email verification is used for both registration and login, requiring a 6-digit code.
Testing the Verification Code Logic:
- The app sends a 6-digit verification code when registering or logging in with an email.
- The code is stated to be valid for 10 minutes.
- Attempted to login by entering an email.
- Requested multiple verification codes in quick succession.
- Waited for 10 minutes to let the first issued code expire, per the app’s stated policy.
Observing the issue:
1 After 10 minutes:
- Attempted to login using the first issued code.
- Login was successful, indicating the first code was still valid despite multiple subsequent codes being issued.
2 Discovery:
- The app failed to invalidate previously issued codes upon generating new codes.
- The first code should have been marked as expired when a new code was issued, but this did not happen.
Security Flaw:
- The app does not implement proper code invalidation logic.
- Old verification codes remain valid even after issuing new ones, creating a security loophole.
A quick response from the H1 Triage Team-
Thank You For Reading 😊
Linkedin — https://www.linkedin.com/in/aman-hasan/
