eBankIT 6 Arbitrary OTP Generation – Torchsec
[Description]
In eBankIT 6, the public endpoints /public/token/Email/generate and
/public/token/SMS/generate allow generation of OTP messages to any email
address or phone number without validation.
------------------------------------------
[Additional Information]
The cookies in the request are not needed, they can be empty.
------------------------------------------
[Vulnerability Type]
Insecure Permissions
------------------------------------------
[Vendor of Product]
eBankIT
------------------------------------------
[Affected Product Code Base]
eBankIT - Version 6
------------------------------------------
[Affected Component]
Public API Endpoint: /public/token/Email/generate
Public API Endpoint: /public/token/SMS/generate
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Denial of Service]
true
------------------------------------------
[CVE Impact Other]
Because these endpoints are public, and the values of the cookies are not
required, a threat actor could potentially leverage this functionality to
create a more realistic social engineering scenario that could potentially
affect clients.
------------------------------------------
[Attack Vectors]
To exploit this vulnerability, an attacker must intercept the request to
the api public endpoint: /public/token/Email/generate or
/public/token/SMS/generate. The attacker can modify the parameters to
choose which email or phone number the OTP would go to. This request can be
used without any type of restriction.
------------------------------------------
[Discoverer]
Steeven Rodríguez
Gloss