P2P Financial Security Sum credit, resetting login/transaction password, and other defects

P2P Financial Security Sum credit, resetting login/transaction password, and other defects

In the dark of the night, I dug a wave of data, only to find the big factory ~~~~~~~~~~~~ The final launch before January 1, April successfully completed the big factory.

Http://android.myapp.com/myapp/detail.htm? ApkName = com. hexindai. hxd

Download the APP and install it. register an account and use it later.



Ps: Sometimes the verification code is invalid during the test and the verification code is slow to receive. Please review it several times. Thank you.

1. Reset the Login Password

Password retrieval process: first use your mobile phone number, use the Password Reset page, send a verification code to your mobile phone, and record the data in the request package



For example
 

 

Verification Code received by the mobile phone: 201562

Rtoken = 1d65df96648403a12e78d9a0d1602b15 in the request



Reset 18888888888 again



The verification code is also sent to 18888888888. However, when sending the verification code, the data packet is intercepted and the rtoken in the returned body content is changed to our new rtoken.

For example
 

Enter our verification code
 

Click Next To Go To The password setting page and set a new password.
 

 

Login
 

2. Reset the transaction password in the same way as above



Send a Verification Code request, which can be preserved. You can obtain the new verification code and rtoken at any time without using the APP function.

Send a request to your mobile phone.
 

Replace the response body of the 18888888888 Verification Code request
 

Enter the verification code 016174 we received

The verification is successful.
 

Set the new transaction password.
 

The new transaction password can be verified by modifying the transaction password.

For example
 

3. Change mobile phone binding

The mobile phone binding function is similar to the above two functions, involving the issue that rtoken is not bound to the mobile phone number.
 

There are also rtoken

I will not continue to discuss this issue here. Insufficient mobile phone numbers



4. We can see that the interval does not appear to have been set for the interface for sending verification codes. Batch use for SMS bombs
 

 

Testing account 18888888888 password 123123xx transaction password 321321qq
 

Solution:

1. We recommend that you bind your mobile phone number to the rtoken text message verification code. When the three are not uniform, they will not be processed

2. The verification code interface does not seem to have a time interval set. You can send the verification code in batches.