An Account Takeover Story

During a recent penetration test on a social media application, I faced a familiar challenge. The clock was ticking down to the report submission deadline, and I hadn't found any notable critical vulnerabilities yet. The application was built on Express.js and appeared to have strong defenses. Just as I was preparing to wrap up, I did one final round of client-side JavaScript analysis, and that's when I found something interesting.

The Hidden Legacy Endpoint

My initial testing of the login flow showed a strong authentication mechanism. Every login attempt required an 8-digit One-Time Password (OTP) sent to the user's registered phone number. Access was only granted after the OTP was successfully validated. This multi-factor flow looked solid.

However, while analyzing the client-side JavaScript files, I discovered a reference to a legacy API endpoint. This endpoint was not part of the normal login flow, yet it was still accessible.

Crucially, this endpoint had a major flaw that completely bypassed the OTP validation step.

At the beginning of the assessment, I already identified an endpoint that exposed all users phone numbers. This significantly simplified the attack and increased its overall impact, as valid targets were readily available without any need for guessing or enumeration efforts.

Exploiting the Authentication Bypass

The attack path was straightforward. The legacy endpoint accepted a POST request. By sending a JSON object containing a valid user's phone number, it returned a valid authorization token directly in the response, no OTP required.

My initial attempt failed with a 500 Internal Server Error. After troubleshooting, I identified the issue: the request was not sent with the correct Content-Type. Once I changed it to application/json, the attack worked.

The successful payload was simple:

{
  "phone_number": "1234567890"
}

The response contained a valid authorization token, giving me direct access to the targeted account.

The Impact: Full Account Takeover

With the token, I achieved full account takeover. I could perform any action as the victim user - access private data, send messages, update profile details, and more.

Since valid phone numbers were already exposed via another endpoint, this removed a major barrier. Combined with the OTP bypass, this effectively put all users at risk and made the vulnerability highly critical.

Visualizing the Attack Flow

The diagram below shows the full attack path from discovery to compromise:

Final Thoughts

This was a good reminder that sometimes the most critical vulnerabilities don't come from complex exploitation. They come from overlooked functionality and forgotten endpoints.

For developers and security teams:

• Remove unused endpoints
• Enforce consistent authentication across all routes
• Avoid exposing sensitive user data through APIs
• Always review client-side JavaScript carefully

Sometimes, the biggest vulnerabilities are hiding in plain sight.