Vulnerable Software: Maharashtra State Electricity Board Android Application
Vulnerability: Account takeover via OTP Fixation
Affected Version: 7.50 and prior
Patched: Yes
Vendor Homepage: https://www.mahadiscom.in/en/home/
App store link: https://play.google.com/store/apps/details?id=com.msedcl.app&hl=en_IN&gl=US
CVE: CVE-2021-41716
CVE Author: Tejas Nitin Pingulkar
Exploit Available: POC Available
About Affected Software
The Official App for Consumer by Mahavitaran (MSEDCL). Mahavitaran Consumer App enables consumers to avail Mahavitaran services at his/her fingertips. The app is simple and easy to use. It provides transparency in delivering services to consumers.
►Features :
*View and Pay bill
*Register and Track complaints
*View Bill and Payment history
*Manage Multiple Electricity Connections
*Contact 24 x7 MSEDCL Call Center
*Apply for New Connection
* Know the status of New Connection Application and Pay Estimate Charges
*Submit Meter Reading to avoid average billing
*Provide Feedback about Mahavitaran Services
*Update Contact Details ( Mobile Number & E-mail ID ) of consumer
*Find MSEDCL offices and collection centers near you
*Estimate your monthly electricity consumption and bill amount
*Get Information about the Feeder from where the power supply is provided to your connection
*Apply for the change of name
*Submit an application for addition/reduction in load
Exploit
Authentication bypass using OTP Fixation
OTP reset functions use the id field
Each OTP ID is associated with a fixed OTP code, allowing an attacker to reuse valid OTPs for unauthorized account access.
Let’s generate OTP for a password reset.
Now as demonstrated in Video POC below OTP ID is 7310828, and Correct OTP for this id is 565449
Since the OTP code remains fixed for a given OTP ID, an attacker can exploit this predictability to reset any user’s account and gain full access.
Proof Of Concept
Thanks!