Pack several security vulnerabilities on the Ticwear assistant APP interface, mall, and developer Platform

Pack several security vulnerabilities on the Ticwear assistant APP interface, mall, and developer Platform

Pack several security vulnerabilities in the Ticwear assistant APP interface, mall, and developer platform (any user password reset/SMS Verification Code cracking ).
Ticwear assistant APP: http://store.ticwear.com/pages/download
Ticwear MALL: http://store.ticwear.com/
Ticwear developer platform: http://developer.ticwear.com/

Ticwear assistant APP interface:

1. Any mobile phone number registration (no text message verification code is required );

2. Any mobile phone number registration (brute-force SMS Verification Code );

3. Reset the password of any user (no text message verification code is required );

4. Reset the password of any user (the SMS verification code is cracked ).

Ticwear MALL:

1. Any mobile phone number registration (brute-force SMS Verification Code );

2. Reset the password of any user (the SMS verification code is cracked ).

Ticwear developer platform:

1. Any mobile phone number registration (brute-force SMS Verification Code );

2. Message Verification Code leakage (response cookie ).

For details, see (red letter explanation, interface address, and parameters)

Ticwear assistant APP interface:

1. Any mobile phone number registration (no text message verification code is required );

2. Any mobile phone number registration (brute-force SMS Verification Code );
 

3. Reset the password of any user (no text message verification code is required );

4. Reset the password of any user (the SMS verification code is cracked ).

Ticwear MALL:

1. Any mobile phone number registration (brute-force SMS Verification Code );

2. Reset the password of any user (the SMS verification code is cracked ).

Ticwear developer platform:

1. Any mobile phone number registration (brute-force SMS Verification Code );

2. Message Verification Code leakage (response cookie ).

Solution:

1. Increase the length of the text message verification code;

2. The interface limits users to send data in batches;

3. Do not return the SMS verification code to the client.