Google TEZ account takeover

I don’t do bug bounties as much as I used to do, but still here is one of my findings which I recently reported to google.

Product name: GOOGLE TEZ

The vulnerability lies in the ios version of the app which doesn’t implement rate limitation during the login procedure.

Steps to reproduce:
1. Open Google Tez app link: https://itunes.apple.com/in/app/tez-a-payments-app-by-google/id1193357041?mt=8

2. Enter the phone number
3. It will send the OTP to the number
4. Keep on entering the wrong OTP. The OTP won’t expire.You can use burp intruder or anything other tools.

Browser/OS: IOS 11

For the POC purposes, I wrote a small Frida script to automate it.

Unfortunately, it was marked duplicate.

Timeline of Events

OCT 20 2017 — Report Submitted to Google Security Team

OCT 21 2017 — Google acknowledged and confirmed the issue and sent it to the appropriate product team for investigation

OCT 23rd 2017 — Google confirmed that the issue is duplicate

OCT 25th 2017 — Google fixed the bug and rolled out the patch.

PS: Stay tuned. I have reported some interesting bugs in CYLANCE and some next-gen products.