I found a vulnerability on a large website, what should I do?

I

Ilgiz Khamitov2015-05-16 17:21:37

Information Security

Ilgiz Khamitov, 2015-05-16 17:21:37

I found a vulnerability on one large site (if I may say so), the essence is that during registration you need to confirm the phone number, moreover, go through the captcha.
The bottom line is that you can send a confirmation code to any phone number bypassing the captcha.
You can automate an action that will send everyone an SMS with a confirmation code.
TP does not respond for more than 2 weeks.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexander Kamolov, 2015-05-16
@proroot

Or some technical support. For example, like on Yandex, since you say that a large site. Tell them that you have a PoC, you can even send it to them. Or call them and let them switch to SB and explain to them

C

Coderast, 2015-05-16
@Coderast

In vain they wrote to the TP, they would have asked first. It is not clear if it is allowed to send multiple times to the same phone. If it resolves no more than 1 minute, then there is no sense in such a vulnerability. If there are no restrictions, you can make flood services for mobile phones by SMS, for example.
But it's all rubbish. You can’t get money otherwise, they won’t pay if they don’t have it in a special agreement, like Facebook, Yandex and Google.
PS Yes, and you can bypass the captcha with the help of special resources that use neural networks. So even when you register in gmail, send it, there is no sense in this if there is a restriction on sending confirmations to a specific phone.