👨‍🏫 Tutorial Bypass almost every Philippines Government and Educational Website OTP

[I2Chan]

Kahit 8 year old na hecker ma bypass niya, sure ball. Hayst, developers and cyber specialists. Kahit ang DICT hindi secure.

This is strictly educational purposes only.

You do not have permission to view the full content of this post. Log in or register now.

 

[joeyer13]

Salamat dito sir pa bm muna ako

 

[Stephen Klay]

-thank you sa pagshare bossing

 

[PHC-Betlog8823]

Uy naysss working angassss

 

[tahpoj]

Thanks for sharing

 

[QuintinC_18]

Baket nagset ng token o cookie without otp? Naguguluhan ako. Pa explain.

 

[DareDeviI]

Salamat sir sa pag share

 

[I2Chan]

Baket nagset ng token o cookie without otp? Naguguluhan ako. Pa explain.

Para marecognize yung account and cross-check the OTP with it. And yun or doon itself ang flaw.

 

[Chir23]

Posibble ba kahit anong website mawala yung ito verification? Kapag ginawa ko yan boss?

 

[PrimordialX]

Support TS! Galeng

 

[PHC Siso Exiled]

pa bm lods thank for sharing

 

[Oltaim pren bilong yu]

wow. ganun pala yun? ayos. salamat master

 

[jomar88]

BM ko muna TS, Marami pong salamat.

 

[QuintinC_18]

Para marecognize yung account and cross-check the OTP with it. And yun or doon itself ang flaw.

Normally ang flow is after ma-verify yung otp doon palang nag-sset ng token or cookie, ngayon ko lang na-encounter yung after the user logs in nag sset na agad ng token or cookie to verify the account and otp which is uneccesary because it is sent usually in the user's account (i.e email) you don't need to verify it or the account itself kasi redundant na. Tapos usually these tokens or cookies have expiration and hindi dapat nagagamit itong mga early set token and cookies to access the website itself. If they do and if it doesn't have the expiration, I would say the developer itself is incompetent.

 

[I2Chan]

Normally ang flow is after ma-verify yung otp doon palang nag-sset ng token or cookie, ngayon ko lang na-encounter yung after the user logs in nag sset na agad ng token or cookie to verify the account and otp which is uneccesary because it is sent usually in the user's account (i.e email) you don't need to verify it or the account itself kasi redundant na. Tapos usually these tokens or cookies have expiration, if it doesn't have, I would say the developer itself is incompetent.

Yun po ang problema they don't, I think it's because masmadali siya ma implement hence we can safely assume they don't care or hindi lang sila marunong. Yung OTP rin nila, it lasts very long at walang timeout, wala rin rate limit. That's a problem kasi anyone can bruteforce it easily kahit code payan basta lang may limitation yung pattern at computable.

"the user logs in nag sset na agad ng token or cookie to verify the account and otp which is uneccesary" Not really po kasi if you verify the code, the system still needs to know para saang account siya or anong account ang ilogin afterwards. Yun lang, nag diretso sila at binigay agad without limiting yung hindi pa na-verified OTP token.

 

[QuintinC_18]

Yun po ang problema they don't, I think it's because masmadali siya ma implement hence we can safely assume they don't care or hindi lang sila marunong. Yung OTP rin nila, it lasts very long at walang timeout, wala rin rate limit. That's a problem kasi anyone can bruteforce it easily kahit code payan basta lang may limitation yung pattern at computable.

"the user logs in nag sset na agad ng token or cookie to verify the account and otp which is uneccesary" Not really po kasi if you verify the code, the system still needs to know para saang account siya or anong account ang ilogin afterwards. Yun lang, nag diretso sila at binigay agad without limiting yung hindi pa na-verified OTP token.

Dapat ma-häçk na ng malala para madala. jajajaja

 

[nokotan]

kaya pala andaming .gov.ph site biglang may "just bingoplus my location".

 

[Jvier 22]

Boss saan makikita yan

 

[Hrdwrk]

di ko masayadong gets haha para sa mga curious but di mo alam paki elaborate po TS

 

[pocapoca]

yown what the hell