2FA Bypass in PickMyCareer.in

I found a 2fa bypass recently in a responsible disclosure program — pickmycareer.in .

The vulnerability allows an attacker to register any mobile number with his account bypassing OTP verifications.

The process is very simple during registration process, attacker gives his own mobile number and receives OTP, enters correct OTP and intercepts request to /api/user/account/register [POST] api endpoint, Here the attacker keeps the OTP unchanged, but changes the mobileNumber param in the request into victim’s mobile number and forwards request.

As the website fails to validate if OTP associated with Mobile number correctly, attacker is able to register any mobile number with his account bypassing OTP verification.

The vulnerability is most probably still open and can be exploited, I reported it to support@pickmycareer.in as per guidelines mentioned here and also tried to contact by many methods such as alternate emails/mobile number/social media handle. As there is no reply for nearly 3 months regarding the fix, posting this now as it might be educational for beginners in infosec/bugbounty community.