The Curious Case of Hidden Phone Number Change & POST-to-GET CSRF — A Hacker’s Tale

-

Introduction

Sometimes, the most interesting vulnerabilities aren’t the flashy ones — they’re the sneaky, almost accidental bugs that show just how broken the logic behind a system can be. This is one such story where a "simple" password change page led me down a rabbit hole, exposing insecure phone number updates, exposed JS files, and a site-wide CSRF risk.

The Setup: A Weird Account Settings Page

I was casually poking around a web application’s user settings section when something immediately stood out:
There was only an option to change the password — no UI to update email, name, or even the phone number. This felt odd for a platform that relied heavily on phone-based verification.

The Discovery: A Phone Number Change Endpoint Hidden in Plain Sight

I decided to do some digging, and sure enough, a JavaScript file revealed an unused (and undocumented) phone number change endpoint. However, the parameters required were unclear. I had no documentation, and the request wasn’t being triggered anywhere in the app’s visible functionality.

Connecting the Dots: Reusing Registration Parameters

This is where intuition kicked in. During the registration process, I had noticed the parameters the site used to collect phone numbers. I decided to try using the same parameters in a request to the phone number change endpoint. Surprisingly — it worked.

The Protection Layer: CORS and CSRF

The endpoint was behind CORS and had CSRF protection — so at first glance, exploiting it externally seemed difficult. But after some experimentation, I found a surprising twist:
The site’s backend was vulnerable to a POST to GET CSRF attack. By converting my request to a GET request with parameters in the URL, CSRF protection was completely bypassed.

Impact: Site-Wide CSRF Exposure

This wasn’t just about phone numbers anymore. This POST to GET CSRF weakness applied to every endpoint across the site. Any sensitive action — including changing critical account information — could potentially be triggered by a malicious site tricking the user into visiting a link.

The Disappointing Reward — or Lack of One

Unfortunately, the platform’s reward policy only covered High and Critical vulnerabilities. This issue, despite its real-world exploitability, was downgraded to Medium, meaning no bounty payout.
This is the reality of bug bounty sometimes: cool bugs with real impact go unrewarded just because they don't tick the "critical" box.

Key Takeaways

  • Don’t assume what you see in the UI is all the functionality that exists.
  • Exposed JS files are goldmines for hidden functionality.
  • Reusing parameter conventions across different endpoints can unlock unintended functionality.
  • CSRF protections that only work for POST requests are not protections at all.
  • Not every valuable bug gets you paid — but every bug teaches you something new.

Final Thoughts

Even if this bug didn’t get me a bounty, it’s a fun reminder that security is often a patchwork of half-implemented protections, forgotten endpoints, and accidental bugs — and sometimes, all it takes is a curious eye to find them.

Note : Used chatgpt for better language.

Location: Visakhapatnam, Andhra Pradesh, India

Comments

Post a Comment

Popular posts from this blog

Android pin bypass with rate limiting

-
  Application pin rate limiting bypass The bug is in private program . There is a feature to lock mobile app with pin . But only 3 attempts. If we attempt wrong pin. The app logouts. But there is a misconfig in this feature. If you enter the pin 2 times. close the app and open the app again you will get another 3 attempts . So the rate limiting bypassed by closing and calling the main activity You can launch the main activity as many times as you want with adb while true;     do adb shell am start -a android.intent.action.VIEW \ -n  com.redacted/com.redacted.MainActivity;   sleep 4; done   while the sleep time you can enter the pin 2 times and again the main activity will be called so you can enter pin again Impact :- mobile auth pin rate limiting bypassed No thanks for reading ..!
Read more

💸 "65 Euros for an Account Deletion Fail — When Deleted Doesn’t Mean Deleted"

-
  The Bug I found a weird issue with the platform’s account deletion flow : When a user deletes their account, their added email addresses were not removed from the system. If the user tried to sign up again using the same email , they couldn’t — the system claimed the email was still in use . Impact Users locked out from re-registering after deleting their accounts. Incomplete deletion = privacy issue (user data retained after account removal). Status Bug accepted ✅ Rewarded 65 Euros 💰 Key Lesson Deleting an account should mean deleting everything tied to it , including secondary emails. Half-baked deletion flows = low payout bugs, but solid finds .
Read more