Mail.ru, one of the tech giants of Russia had a bug resolved in its ZakaZaka platform. The bug was described to be a Business Logic Error in ZakaZakaโs SMS code for a phone number change, which can be obtained by brute force attacks. Mail.ru rewarded the bug hunter who disclosed this bug and rated this as a medium severity bug.
SMS Vulnerability in ZakaZaka
ZakaZaka is Russiaโs second-largest food delivery platform after Delivery Club, both owned by Mail.ru, which is one of the largest internet companies in Russia. Mail.ru also owns Russiaโs largest social media โ VK.
A bug hunter named Novovolynsk (Moonwalker) has disclosed a bug in ZakaZakaโs SMS mechanism to Mail.ru on June 18th this year, to which the company has rewarded him $150 the very next month. While Mail.ru didnโt clearly describe the bug until now, a request by one of the users at HackerOne to Novovolynsk has revealed the bug details.
https://t.co/pkOyhwSTRP disclosed a bug submitted by moonwalker: https://t.co/iSRxbOI5eH โ Bounty: $150 #hackerone #bugbounty pic.twitter.com/NG4AnQE8fv
— publiclyDisclosed (@disclosedh1) December 9, 2020
He described the issue as โSMS code for phone number change in zakazaka.ru was not sufficiently protected against brute-force,โ in the description of his submission in HackerOne. This shouldnโt be a problem now since Mail.ru has resolved the issue, and marked its severity as a medium!
Vladimir Dubrovin, Mail.ruโs staff has initially marked it medium severe, later changed to low, and again to a medium before resolving with a score of 6.1/10. Itโs classified as a Business Logic Error, which happens when the regular business flow was tampered with to get the negative consequences.
For example, an attacker in this case can brute force the userโs account to get the SMS code whenever he tries to change the phone number. Thus, he can replace the phone number with something thatโs in his control, and take over the targetโs account.
These type of attacks can often be limited by setting strong authentication protocols, like limiting the number of times one can enter the SMS code to verify.