# Crazy Account Highjack

I was testing for my favorite bug type: MFA bypass on this particular target but it was quite secure and I tried all test cases including brute-force protection bypass, Response manipulation, Token leakage and many more. I tried these on signup, login & reset password functionalities but no luck. :grimacing:

While I was testing for horizontal privilege escalation on sensitive actions on the profile page, I noticed an option of "Add Secondary Mobile Number". Adding a second mobile number  also required code verification for obvious reasons.

So I thought of giving this a try. An attempt to bypass verification on adding second mobile number.

I again fired the same test cases but could not crack it. Just before I was about to give up on this endpoint, I thought of checking for token leakage a last time before moving on.

On a successful verification, I noticed that the response content contained a token:\
{token='random\_string'}\
I realized if I could get the token and add it to the response of a failed verification and change the response code, I could add the victim's mobile number without verification.

But a piece is still missing: Where do I get the token? \
So I started checking each request previously made. I searched for the token value in burp proxy history and found the token was leaking in the request made for sending verification code. :partying\_face:&#x20;

I started a fresh request and captured the new token. \
Then I entered the wrong code and captured the request.\
Added token parameter and pasted the token value.\
Forwarded the request.\
And now I have victim's mobile number as a secondary number on my profile without verification. :man\_dancing:&#x20;

I tried the same method on login, signup and forgot password, but different mechanisms were used there.

I then looked how I could escalate the impact by changing it to my primary number, but there was no such option.

I then spent a few more hours of looking for other bugs.\
After that I switched to the android application to find logical bugs.\
There I noticed that on the profile page was an option: "change primary mobile number" :sparkles: jackpot :sparkles: \
I could then have the victim's mobile number as my primary mobile number linked with my account.

Impact: An attacker can imitate as the victim and do malicious stuff.\
&#x20;             This makes the verification process on signup completely useless.

PS: "Victim" in the description is my own mobile number. I did not mean to imply that I used anyone else's mobile number for exploitation.