I have been paying attention to the security of mobile terminals. apps of major enterprises have become the objects of my attention. I like Netease's youdao cloud notes very much. therefore, the IOS client was tested. an interface was found to reset the password and forcibly unbind the Mobile Phone mailbox. youdao cloud note Mobile Phone registration function. because 163 of registered mailboxes are not independent, 163 of mobile phone mailboxes are affected. verification code verification and other mechanisms are available in the first few steps of registration, but in the last step. only the valid data of the mobile phone number and password are submitted, and no other authentication information is submitted. at this time, I changed other mobile phone numbers for testing. you can change the password of other mobile phone mailboxes. the packet is as follows: POST/noteproxy/register HTTP/1.1 Host: m. note. youdao. comUser-Agent: ynote-iphoneContent-Length: 63Content-Type: application/x-www-form-urlencoded; charset = utf-8Accept-Encoding: gzipCookie: Connection: closeProxy-Connection: close phoneNum = 13333333333 & format = json & password = 123456 & confirm = 123456 the interface has not been verified. you can directly change the password of the corresponding Mobile Phone mailbox. however, after a series of attempts, we found that. the password of the other party is not modified. mobile Phone mailbox is an independent service. A mobile phone number is bound to an ordinary email account as the email address. this operation will re-bind this mobile phone number to a new mailbox. that is to say. the password of the original account is not modified. instead, a new account is registered. and bind the email address of the original master. the original mobile phone will receive an unassociated text message. however, at this time, my mobile phone mailbox has been hijacked. dangers are self-evident.Solution:
I firmly believe that every submission is insecure. Every submission requires authentication.