Submit #501868: Excitel Broadband Private Ltd. myExcitel Android app 3.13.0 Insecure OTP Verificationinfo

TitleExcitel Broadband Private Ltd. myExcitel Android app 3.13.0 Insecure OTP Verification
DescriptionA critical vulnerability exists in the Android app of Excitel Broadband Private Ltd., which provides users with Wi-Fi connection services. The app allows users to log in using their phone number, with a 6-digit One-Time Password (OTP) sent to the registered number for verification. However, the OTP verification mechanism is vulnerable to brute-force attacks, as there is insufficient protection to prevent multiple rapid attempts at guessing the OTP. An attacker can exploit this weakness by brute-forcing the 6-digit OTP, gaining unauthorized access to the user's account. Once logged in, the attacker can access sensitive user data, including Know Your Customer (KYC) documents, and has the ability to update the app's password or modify the associated Wi-Fi connection settings. This vulnerability poses a significant risk, as it allows unauthorized users to hijack accounts, compromise sensitive personal information, and disrupt Wi-Fi services. In order to perform this attack, an attacker should know registered phone number of victim user. Below is the link for affected product: https://play.google.com/store/apps/details?id=com.scaleforce.mobile.myexcitel&hl=en
User
 alokkumar0200 (UID 9619)
Submission02/15/2025 20:04 (1 Year ago)
Moderation02/23/2025 20:24 (8 days later)
StatusAccepted
VulDB entry296610 [Excitel Broadband Private my Excitel App 3.13.0 on Android One-Time Password excessive authentication]
Points17

Interested in the pricing of exploits?

See the underground prices here!