Bug Hunter Id: https://hackerone.com/uyga
Summary
It's possible to brute force recovery code from SMS as iOS application doesn't have limits for incorrect inputs. I have tried 50+ different combinations until I reached code from SMS.
Steps To Reproduce
- Click "Use another option" on application startup view
- Enter your phone number
- Click "Forgotten number"
- Click "OK" on pop-up window
- Bruteforce 4 digits code
PoC video
Mitigation
- Limit quantity of attempts to enter recovery code
- Don't store recovery code on target device to compare it with user's input
Details
Devices: Iphone SE (13.2), Iphone 6s (12.4)
App: Bumble (5.140.0)
App: Bumble (5.140.0)
Impact
Account takeover.