SnapChat Exposes "One Tap Passwords" for any user ($25000 USD)

We discussed this vulnerability during Episode 79 on 06 September 2021

I’m not sure what the normal flow for a “One Tap Password” is but /scauth/otp/droid/logout can be used to retrieve OTP token in the response. Which can be passed to /scauth/otp/login along with the username to login.

The problem being that the logout endpoint accepts and trusts a user_id parameter. So an attacker can put in a victim’s user_id and retrieve an OTP password for the victim. Allowing them to login as that user.