SnapChat Exposes "One Tap Passwords" for any user ($25000 USD)
Original Post:
We discussed this vulnerability during Episode 79 on 06 September 2021
I’m not sure what the normal flow for a “One Tap Password” is but /scauth/otp/droid/logout
can be used to retrieve OTP token in the response. Which can be passed to /scauth/otp/login
along with the username to login.
The problem being that the logout endpoint accepts and trusts a user_id parameter. So an attacker can put in a victim’s user_id and retrieve an OTP password for the victim. Allowing them to login as that user.