Everus.org 1.0.9 Second Factor Redirection
Posted by deepcore on November 17, 2018 – 9:46 pm
The Everus.org Android application version 1.0.9 has a fundamental design flaw where the client can send a random phone number during the second factor flow with an arbitrary existing user id and the server send the attacker the one time password for the other user.
Post a reply
You must be logged in to post a comment.