Touch Lebanon Mobile App Password Reset OTP Bypass Vulnerability

A vulnerability exists in the password reset workflow of the Touch Lebanon Mobile App version 2.20.2. This issue allows attackers to bypass the one-time password (OTP) verification required for resetting passwords. By exploiting this flaw, unauthorized users can reset passwords and gain access to accounts without a legitimate authentication factor, such as an OTP. This vulnerability compromises account security and could lead to unauthorized access to user data.

Impact

Exploitation of this vulnerability allows for account takeover, enabling attackers to gain full control over user accounts. This could disrupt services linked to the account, such as mobile credits or eSIM downloads, and cause customer dissatisfaction.

Reproduction

To reproduce this vulnerability, navigate to the password reset page of the Touch Lebanon Mobile App. Enter a valid username associated with an existing account. Input any arbitrary or incorrect verification code, ensuring it is longer than six characters. The system will accept the invalid code and allow the password reset to proceed, bypassing the verification requirement.

Remediation

Users are advised to implement proper validation of verification codes during the password reset process. This includes ensuring codes match exactly, implementing expiration times for codes, and invalidating codes after use. Additionally, rate limiting password reset attempts and enhancing security measures for account recovery can help mitigate the risks associated with this vulnerability.