Reset the password of any account on the Android Client

Reset the password of any account on the Android Client

My daughter-in-law recommended me to use this APP, So she changed her password...

When I registered with a mobile phone, I found that the verification code was 4 digits, and I felt that there was a possibility of brute force guesses. So I tested it, the result shows that the verification code is directly returned when the request is sent. In this way, you can use a mobile phone number that does not actually exist, such as 13512345678.
 

Verification code: 6390 is directly returned
 

Enter the verification code. The system prompts you that you have already registered. you can log on or register another one. (If you select this option, the original content will be discarded and the associated mobile phone number will be lost ). Log in and find that this is a tester's account.
 

In the same way, you can try another number that has not been registered.
 

The same is true for password retrieval. You can reset the password directly based on the returned code.
 

In fact, the verification code will be verified again on the server. Therefore, it is a bug to directly return the verification code during the request, but the impact is huge.
 

After the code is encrypted with des, it is verified on the server again.
 

The data packet sent to the server is self-signed (calculated value sign). If you use burp to modify the mobile phone number and resend the data packet, a 500 error is returned.
 

However, this algorithm can be simulated and is not absolutely secure.
 

 

You can use a similar algorithm to calculate the sign.
 

You can apply for an account at Will or reset the password of any account.

Solution:

1. Do not directly return the verification code through the web when requesting the mobile phone Verification Code

2. It is best to use a 6-digit verification code.

3. If the IOS side is similar logic, it needs to be modified together.