QQ Password Change Vulnerability ignore QQ password protection and security mobile phone direct change QQ Password

QQ Password Change Vulnerability ignore QQ password protection and security mobile phone direct change QQ Password

Ignore QQ password security mobile phone direct modification QQ password tutorial closed test successful don't know Is Not A Vulnerability

The sender says that the password can be successfully changed without the first-generation, second-generation, and second-generation security.

Liangliang is a two-generation password protection service with a secure mobile phone. When a QQ token is bound, no password verification is performed to change the password!

Of course, not every number can be changed successfully. I tested three two generations and only one number is allowed.

Test preparation

1: No.

2: Bank Card

The test procedure is as follows:

Step 1: Open-search for QQ members-my-click link QQ-log on to the QQ number you want to change the password

Bytes

 

 

Step 2: Search for QQ Security Center-click Change Password for intermediate account problems/forgot password-click here in the middle

 

This is the key. If this prompt is not displayed, even if the donation connection is taken out for use, the domain name is not authorized.

 

So it may not work without this prompt!

Bytes

 

Step 3: Go to the donation page. The payment option 1 page is displayed. Click I want to donate. Enter 0.01. Click Finish in the upper right corner. The modification page is displayed.

Zookeeper
Bytes

 

Step 4: pay

Bytes

 

Click Finish to view the Password Change

The above is the delivery process, of course, this is also a complete release in line with the principle of effective measurement.

 

In the first test, the two numbers do not work. As shown in the figure, the donation page in step 2 is not displayed, so I gave up.

 

 

When I had dinner at night, I changed my cell phone and tried another QQ. I found that this QQ was okay.

This QQ is also a two-generation security token with a secure mobile phone... Bright

The process is still the same. When I change this mobile phone, this QQ actually prompts that I can donate money.

 

Okay, I'm testing to donate 1 cent.

Pay down

 

 

In fact, I did not dare to review the reasons provided by the shipping personnel.

 

What if the password modification page is displayed? So I insisted on the test before review...

 

As a result, I did not need to verify the password, do not verify the mobile phone, do not verify the token. Modification successful !!

The text message is also received.

 

Red/Black Alliance reminder

1: This method does not apply to all the QQ programs. You can test three QQ programs on bright. I don't know if it is related to the device or something.

2: there is no article prompt, and the payment prompt is displayed, indicating that the domain name is unauthorized and cannot be changed.