Logical Vulnerability

Hazard: Allowing the creation of multiple accounts with the same phone number can facilitate fraudulent activities against merchants, such as scams and "exploiting loopholes for small gains" (e.g., repeatedly claiming promotional benefits), among other risks.

Exploitation Method:
During the registration process, perform a packet capture and modify the request. By adding %20 (a URL-encoded space) before the phone number, the system's validation can be bypassed. This allows a single phone number to register an unlimited number of accounts with different passwords.

<img width="2327" height="1362" alt="Image" src="https://github.com/user-attachments/assets/a6807429-fb21-4346-822a-5ee47eff5c2a" />

<img width="2559" height="1445" alt="Image" src="https://github.com/user-attachments/assets/5fb870a9-da35-4ba9-8de4-76c47a521c71" />

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Logical Vulnerability #117

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Logical Vulnerability #117

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions