Methods to Bypass OTP in Mobile Apps: Successful VAPT Scenarios

Introduction

Resecurity conducted hundreds of VAPT (Vulnerability Assessment and Penetration Testing) engagements for customers of different sizes and profiles—ranging from Fortune 100 corporations to emerging start-ups looking to test their cybersecurity controls before going live. Interestingly enough, regardless of the maturity of the company, issues related to API and authorization were identified in many cases, especially when the application had been developed by a third party.

This white paper describes the most common issues identified as a result of successful testing, when our specialists are able to identify critical vulnerabilities and recommend a path to mitigate them, thereby preventing possible damage if a real-life attack exploits these vulnerabilities and the company suffers a data breach or a leak of customer data.

These vulnerabilities have been identified in numerous mobile apps and SaaS-based applications, serving a large number of customers. Failing to patch them in a timely manner may lead to significant risks, especially in the fintech sector, where attackers may exploit such flaws for fraudulent operations, leveraging customer accounts for their own benefit bypassing MFA. 

What is MFA?

Multifactor Authentication (MFA) or Two-Factor Authentication (2FA) is when a user is required to present more than one type of evidence in order to authenticate on a system. There are five different types of evidence (or factors) and any combination of these can be used, however in practice only the first three are common in web applications.

It should be noted that requiring multiple instances of the same authentication factor (such as needing both a password and a PIN) does not constitute MFA and offers minimal additional security. The factors used should be independent of each other and should not be able to be compromised by the same attack. While the following sections discuss the disadvantage and weaknesses of various different types of MFA, in many cases these are only relevant against targeted attacks.

What is OTP?

One Time Password (OTP) tokens are a form of possession-based authentication, where the user is required to submit a constantly changing numeric code in order to authenticate. The most common of which is Time-based One Time Password (TOTP) tokens, which can be both hardware and software based.

A cheaper and easier alternative to hardware tokens is using software to generate Time-based One Time Password (TOTP) codes. This would typically involve the user installing a TOTP application on their mobile phone, and then scanning a QR code provided by the web application which provides the initial seed. The authenticator app then generates a six digit number every 60 seconds, in much the same way as a hardware token.

Most websites use standardized TOTP tokens, allowing the user to install any authenticator app that supports TOTP. However, a small number of applications use their own variants of this, which requires the users to install a specific app in order to use the service. This should be avoided in favour of a standards-based approach.

SMS messages or phone calls can be also used to provide users with a single-use code that they must submit as an additional factor. Due to the risks posed by these methods, they should not be used to protect applications that hold Personally Identifiable Information (PII) or where there is financial risk. e.g. healthcare and banking. NIST SP 800-63 does not allow these factors for applications containing PII.

Email verification requires that the user enters a code or clicks a link sent to their email address. There is some debate as to whether email constitutes a form of MFA, because if the user does not have MFA configured on their email account, it simply requires knowledge of the user's email password (which is often the same as their application password).

There are also Hardware OTP Tokens, which generate a constantly changing numeric codes, which must be submitted when authenticating. Most well-known of these is the RSA SecureID, which generates a six digit number that changes every 60 seconds. Some implementations require a backend server, which can also introduce new vulnerabilities as well as a single point of failure.

What businesses are using OTP

Many types of businesses and organizations utilize One-Time Passwords (OTPs) as a security measure to protect user accounts and sensitive information. Common sectors include:

1. Financial Institutions:
Banks, credit card companies, and online payment platforms (e.g., PayPal, Stripe) use OTPs for authenticating transactions and login attempts. Major global banks, payment service providers (e.g., Visa, MasterCard, PayPal), and investment platforms all implement OTPs as part of their security protocols. Compliance with regulations such as the EU Payment Services Directive (PSD2) often mandates strong customer authentication, including OTPs. 

2. E-commerce Platforms:
Online retailers often require OTP verification during account creation, login, or high-value transactions.

3. Telecommunications Providers:
Mobile carriers and telecom services use OTPs for account access, SIM card activation, and fraud prevention.

4. Government Agencies:
To secure access to government portals, tax systems, and citizen services, OTPs are frequently employed.

5. Healthcare Providers:
Hospitals and health insurance companies use OTPs for accessing sensitive health records and insurance information.

6. Email and Cloud Service Providers:
Companies like Google, Microsoft, and Dropbox utilize OTPs for two-factor authentication (2FA).

7. Social Media Platforms:
Platforms such as Facebook, Twitter, and Instagram implement OTPs to enhance account security.

8. Online Gaming and Gambling Sites:
To prevent unauthorized access, these platforms often require OTP verification.

9. Enterprise and Corporate Systems:
Organizations implement OTPs for secure remote access to corporate networks and applications.

Overall, OTPs are a widely adopted security feature across various industries to mitigate unauthorized access and enhance security. At the same time, incidents involving OTP bypass continue to occur, which underscores the need for extensive security testing.

OTP Bypass Vulnerabilities

What are the primary root causes of OTP bypass vulnerabilities?

1. Blind Trust in Client-Side Decisions

Many apps treat the client (mobile device) as trustworthy. When the server sends a response like "OTP verification failed," the app accepts this at face value. Attackers exploit this by intercepting and altering the response to "OTP verified successfully"—and the app blindly obeys, bypassing security.

2. Stateless or Weak Session Tracking

Some systems don’t maintain a record of whether OTP verification was truly completed. After sending an OTP, the server forgets the context. Attackers can skip validation entirely because the server doesn’t double-check if the OTP step was legitimately finished.

3. Lack of Response Integrity Checks

Responses from servers often lack digital signatures or tamper-proofing. Attackers can freely edit responses (e.g., changing "false" to "true") because there’s no cryptographic seal to prove the data is authentic.

Below, Resecurity outlines the most common attack vectors leading to successful OTP bypass exploitation:

1- Password Reset OTP Bypass

Technique Description

Attackers submit an invalid OTP during password reset, then manipulate either:

1. Response (changing success: false → true), or
2. Request (removing the OTP parameter entirely).

Key Flaws Exploited:

• Client-Side Enforcement: App trusts modified responses without server reconfirmation.
• Optional OTP Field: Server fails to reject requests missing OTP.

Impact:

• Full password reset without OTP access.
• Immediate account compromise.

Steps

1- Trigger OTP Request

Open app → "Forgot Password" → Enter victim’s email → Capture request in Burp:

2- Submit invalid OTP (e.g., 1111) → Capture in Burp:

3- Change the request to get this response and then edit the response

4- response manipulation change true to false and remove error massege

Modify Server Response

Forward the request until you see the response:

{"success":false}

{"success":true}

Right-click → "Do Intercept" → "Response to this request" → Forward modified response

5- Verify Bypass

Proceed to set a new password, The server accepts the manipulated response and allows the password to be changed

6- Enter new password

7- Observe app now allows password reset without valid OTP.

Login with new password Login using the new password. Full account access is granted

2- Account Verification OTP Bypass

Technique Description

Attackers intercept the server’s response during email/phone verification and alter the outcome from verified: false to verified: true. This exploits the app’s reliance on client-side validation, allowing account verification without submitting a valid OTP.

Key Flaws Exploited:

• Stateless Verification: Server doesn’t recheck OTP status post-response.
• Unsigned Responses: Lack of cryptographic signatures enables tampering.

Impact

• Fake verification enables fraud (e.g., unauthorized transactions, fake profiles)
• Exposes sensitive features to unauthorized access

1- Trigger Email Verification 

• Verify Email → Capture request:

2- Intercept the server's response.

3- Change false to true and remove error messages.

4- App now marks the email as verified without valid OTP.

What Else Should Be Tested?

What are the primary root causes of OTP bypass vulnerabilities? The techniques described in this whitepaper are just a part of the very broad spectrum of possible threats and attack vectors leading to OTP bypass. 

Resecurity recommends that businesses perform an in-depth assessment according to OWASP Web Application Security Testing (WSTG), which includes the following phases:

4.1 Information Gathering
4.2 Configuration and Deployment Management Testing
4.3 Identity Management Testing
4.4 Authentication Testing
4.5 Authorization Testing
4.6 Session Management Testing
4.7 Input Validation Testing
4.8 Testing for Error Handling
4.9 Testing for Weak Cryptography
4.10 Business Logic Testing
4.11 Client-side Testing
4.12 API Testing

Our experts hold the following industry certifications and have an extensive track record of successful work with the leading Fortune 500 companies and government agencies:

• CISSP (Certified Information Systems Security Professional)
• CEH (Certified Ethical Hacker)
• CISA (Certified Information Systems Auditor)
• GIAC GCIH (Certified Incident Handler)
• Offensive Security Certified Professional (OSCP)
• GIAC Web Application Penetration Tester (GWAPT)
• eLearnSecurity Certified Penetration Tester eXtreme (eCPTX)
• eLearnSecurity Web Application Penetration Tester Extreme (eWPTXv2)
• eLearnSecurity Certified Professional Penetration Tester (eCPPTv2)
• Attify Certified IoT Security Pentester (ACIP)
• eLearnSecurity Mobile Application Penetration Tester (eMAPT)
• Certified Red Team Professional (CRTP)
• CREST Registered Penetration Tester (CRT)
• CREST Practitioner Security Analyst (CPSA)

Please don't hesitate to contact us anytime at contact@resecurity.com. Our specialists will be happy to assist you with web application security, mobile app testing, and API testing. For more information about VAPT (Vulnerability Assessment and Penetration Testing) services by Resecurity, you may review the following page.