Mail.ru, one of the tech giants of Russia had a bug resolved in its ZakaZaka platform. The bug was described to be a Business Logic Error in ZakaZakaโ€™s SMS code for a phone number change, which can be obtained by brute force attacks. Mail.ru rewarded the bug hunter who disclosed this bug and rated this as a medium severity bug.

SMS Vulnerability in ZakaZaka

Mail.ru Resolved an SMS Bug

ZakaZaka is Russiaโ€™s second-largest food delivery platform after Delivery Club, both owned by Mail.ru, which is one of the largest internet companies in Russia. Mail.ru also owns Russiaโ€™s largest social media โ€“ VK.

A bug hunter named Novovolynsk (Moonwalker) has disclosed a bug in ZakaZakaโ€™s SMS mechanism to Mail.ru on June 18th this year, to which the company has rewarded him $150 the very next month. While Mail.ru didnโ€™t clearly describe the bug until now, a request by one of the users at HackerOne to Novovolynsk has revealed the bug details.

He described the issue as โ€œSMS code for phone number change in zakazaka.ru was not sufficiently protected against brute-force,โ€ in the description of his submission in HackerOne. This shouldnโ€™t be a problem now since Mail.ru has resolved the issue, and marked its severity as a medium!

Vladimir Dubrovin, Mail.ruโ€™s staff has initially marked it medium severe, later changed to low, and again to a medium before resolving with a score of 6.1/10. Itโ€™s classified as a Business Logic Error, which happens when the regular business flow was tampered with to get the negative consequences.

For example, an attacker in this case can brute force the userโ€™s account to get the SMS code whenever he tries to change the phone number. Thus, he can replace the phone number with something thatโ€™s in his control, and take over the targetโ€™s account.

These type of attacks can often be limited by setting strong authentication protocols, like limiting the number of times one can enter the SMS code to verify.

LEAVE A REPLY

Please enter your comment!
Please enter your name here