Account Takeover in Password Reset Function

A critical authentication bypass vulnerability was present in the password reset functionality of the ███████ website at ███████. The vulnerability allowed attackers to take over any user account without requiring access to the victim's phone number or the one-time password (OTP) sent via SMS. The security flaw existed in the implementation of the "Forgot Password" feature, where the system was designed to send an OTP to a user's registered phone number for verification before allowing password reset. However, the vulnerability arose from inadequate server-side validation that relied on client-side responses to determine the success of OTP verification. An attacker could intercept the server response using a proxy tool and manipulate the response parameters to bypass the OTP verification step entirely. By changing the response status from failure to success and modifying the JSON response body, the attacker could proceed to set a new password for the victim's account without ever receiving or entering the legitimate OTP. This vulnerability was assigned a CVSS score of 9.6 (Critical) and represented a complete failure of the authentication mechanism designed to protect user accounts during the password reset process.