A Unicom APP may cause Password Reset problems in batches

A Unicom APP may cause Password Reset problems in batches

My girlfriend is a standard Bai fumei. Every time I take my girlfriend out for shopping, I always attract the eyes of many people. Once my girlfriend and I went to eat hot pot, the waiter at the hot pot restaurant gave me the answer and kept staring at my girlfriend. My heart was so dark that this kid must be full of envy and hate. Then he turned to me and said: excuse me, could you please move it!

1. China Unicom's wakuan app, where I spoke about the unstable bandwidth of Beijing Unicom.

First, open the app and click Login. after entering the login page, click forgot password

2. Fill in the mobile phone number. If the mobile phone number does not exist, click Next to prompt that the user name does not exist. If yes, you can use

3. in this case, check the request intercepted by the burp and find that if 1 is returned and 2 is not returned if no one exists. Note that the mobile phone proxy is set to the Ip address of the computer in the same LAN as the mobile phone computer, and the burp is set to the same, you can intercept mobile phone requests.

The password reset process is followed. I think this vulnerability can be used as a classic case of password reset.

1. select a pass number and send a request. You can see through the burp request response that the page data returned by this operation is not the json format data returned by calling the api, then we can simulate app requests in the browser.
 

Reset method 1 to modify the receiving number. In the request, change the mobile phone number for resetting the password to your mobile phone number, receive the verification code information, and enter it. You can reset it successfully.
 

Reset Method 2: brute-force cracking. This verification code is a 6-digit verification code. Through brute-force cracking, the correct verification code can be successfully cracked. 1 is returned correctly, and 2 is returned incorrectly. For details, see my previous vulnerabilities.

Reset method 3: Modify the response value. As mentioned above, 1 is returned correctly, 2 is returned incorrectly, and 1 is returned incorrectly. The Password Reset page can also be displayed.

Reset Method 4: unauthorized modification method. You can reset your password. In the last step, a mobile phone number exists in the sending request. You can change the mobile phone number to another user's mobile phone number, or reset the password of another user.

13401160478

1234 asdf

To prove the severity of this problem, as far as I know, Beijing Unicom may require the app to be installed for acceleration. How many users can be reset, in the mobile phone Address Book, Ben selects three contacts in Beijing. The first eight are fixed as numbers, and the last four are numbers. To check the number of contacts, there are many users. There are almost all brute-force attacks.

Unicom 20rank

Solution:

Design again.