SMS Vulnerability in ZakaZaka
ZakaZaka is Russia’s second-largest food delivery platform after Delivery Club, both owned by Mail.ru, which is one of the largest internet companies in Russia. Mail.ru also owns Russia’s largest social media – VK. A bug hunter named Novovolynsk (Moonwalker) has disclosed a bug in ZakaZaka’s SMS mechanism to Mail.ru on June 18th this year, to which the company has rewarded him $150 the very next month. While Mail.ru didn’t clearly describe the bug until now, a request by one of the users at HackerOne to Novovolynsk has revealed the bug details.
— publiclyDisclosed (@disclosedh1) December 9, 2020 He described the issue as “SMS code for phone number change in zakazaka.ru was not sufficiently protected against brute-force,” in the description of his submission in HackerOne. This shouldn’t be a problem now since Mail.ru has resolved the issue, and marked its severity as a medium! Vladimir Dubrovin, Mail.ru’s staff has initially marked it medium severe, later changed to low, and again to a medium before resolving with a score of 6.1/10. It’s classified as a Business Logic Error, which happens when the regular business flow was tampered with to get the negative consequences. For example, an attacker in this case can brute force the user’s account to get the SMS code whenever he tries to change the phone number. Thus, he can replace the phone number with something that’s in his control, and take over the target’s account. These type of attacks can often be limited by setting strong authentication protocols, like limiting the number of times one can enter the SMS code to verify.