CVE-2020-27416 Mahavitaran Android Application: Account take over via OTP bypass

Vulnerable Software: Maharashtra State Electricity Board Android Application

Vulnerability: Account take over via OTP bypass

Affected Version: 7.50 and prior

Patched: Yes

Vendor Homepage:

App store link:

CVE: CVE-2020-27416

CVE Author: Tejas Nitin Pingulkar

Exploit Available: POC Available

About Affected Software

The Official App for Consumer by Mahavitaran ( M.S.E.D.C.L.). Mahavitaran

Consumer App enables consumers to avail Mahavitaran services at his/her

fingertips. The app is simple and easy to use. It provides transparency

in delivering services to consumers.

►Features :

*View and Pay bill

*Register and Track complaints

*View Bill and Payment history

*Manage Multiple Electricity Connections

*Contact 24 x7 MSEDCL Call Center

*Apply for New Connection

* Know the status of New Connection Application and Pay Estimate Charges

*Submit Meter Reading to avoid average billing

*Provide Feedback about Mahavitaran Services

*Update Contact Details ( Mobile Number & E-mail ID ) of consumer

*Find MSEDCL offices and collection centers near you

*Estimate your monthly electricity consumption and bill amount

*Get Information about the Feeder from where the power supply is provided to your connection

*Apply for the change of name

*Submit an application for addition/reduction in load


Intercept traffic via a proxy application such as Burp

Click on forget password

Enter user-id 

Enter any number as OTP

Manipulate response in proxy change “valid”: true

Enter a password of your choice, and you just get access to the user account.


CVE-2020-27416 Mahavitaran Android Application: Account take over via OTP bypass

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top