Excitel Broadband Private my Excitel App One-Time Password Brute Force Vulnerability

A vulnerability exists in the Excitel Broadband Private my Excitel App for Android, specifically in version 3.13.0. The issue arises in the One-Time Password (OTP) verification process, where inadequate measures are in place to limit excessive authentication attempts. This flaw allows for brute-force attacks on the OTP, as the app does not effectively prevent multiple rapid attempts to guess the 6-digit code. Exploitation of this vulnerability could lead to unauthorized access to user accounts, allowing attackers to view sensitive information such as KYC documents, and to change passwords or Wi-Fi connection settings. The vulnerability has been classified under CWE-307, relating to excessive authentication attempts.

Impact

Exploitation of this vulnerability allows for excessive authentication attempts, potentially leading to unauthorized access to user accounts. Once access is gained, an attacker could disrupt Wi-Fi services and access sensitive personal information, including KYC documents.