How i was able to bypass a Pin code Protection

Hello guys,
I Hope all are doing good. my name is kerolos sameh(AKA xko2x), I’m 17 years old bug hunter in HackerOne.

I found an interesting bug in private program I would like to share with y’all and I hope you find this write-up is helpful

so let’s get started!

Info about the target

it’s a financial company that provides virtual and physical cards

full story

so I after some recon and understanding the target well I found a function for creating the virtual and the physical card and I found that’s when you create a virtual card you can read card details without any other steps

overwise the physical card is different you need the pin code behind the card and you can’t do this without getting the card delivered and it costs 5$ too :)

so let’s take a look in pin code request

and response looked like this

so basically there is a rate limit so it’s not brute-forceable

i tried to bypass the rate limit but no luck :(

so I totally forget about it and when I was analyzing javascript

if found endpoint that activates the card with the card UUID only!

original one:

as you can see the difference is the truncated_pan(pin code)
so I tried this endpoint and I was shocked!

request

response:

and it worked successfully!

so I was still wondering what this request is for ???

and after some investigation, I found this for activating the virtual card if the user disabled it manually!

Recap

so basically bypass the PIN code protection by using the virtual card activate request in the physical card by replacing the card uuid!

Tips for Pentester

always read js files and analyze it.
and literally, click on every button/ function you can find and read the requests and think what you can do with this, this is how you can build a hacker mindset :)

and that’s it I hope you liked my first write-up and I hope you learned something new :)

see you in the next write-up , bye

I’m a 17 y.o Bug hunter || Security Researcher at Hackerone