Macrozheng Mall Unauthenticated Password Reset Vulnerability in OTP Workflow

A vulnerability exists in Macrozheng Mall versions through 1.0.3, allowing unauthenticated attackers to reset user passwords via the password reset workflow in the mall-portal. The process exposes the one-time password (OTP) in the API response and validates requests by comparing the OTP to a stored value linked to the user's telephone number, without verifying the identity or ownership of the number. This flaw enables remote account takeover for any user with a known or guessable phone number.

Impact

Exploitation allows for unauthorized password resets and account takeovers for any user associated with a telephone number.

Reproduction

To reproduce this vulnerability, request an OTP by sending a GET request to the '/sso/getAuthCode' endpoint with the target telephone number. The OTP will be returned in the response. Then, use the received OTP to reset the password by sending a POST request to the '/sso/updatePassword' endpoint with the telephone number, new password, and the OTP. This will change the password for the target account, allowing access as the user.

Remediation

To address this vulnerability, remove the OTP from the API response and send it via a more secure method, such as SMS or email. Implement rate limiting on the OTP request and password update endpoints, and ensure that OTPs can only be used once. After these changes, return a generic response indicating that a code was sent, if applicable, to reduce the risk of enumerating accounts.