A critical authentication vulnerability discovered in Jack & Jones India's e-commerce platform, allowing unauthorized account access through OTP brute force attacks.

<aside> ⚠️

Critical Vulnerability: CVSS 8.1 (HIGH) - Authentication Bypass via OTP Brute Force


</aside>

Overview

During a manual security assessment of the Jack & Jones India website (www.jackjones.in) in July 2025, I discovered a critical vulnerability in their OTP verification mechanism. The absence of rate-limiting protections allowed brute-force attacks on 4-digit OTP codes, potentially enabling unauthorized access to user accounts.

Key Details

Target: Jack & Jones India (https://www.jackjones.in) Discovery Date: July 26, 2025 Vulnerability Type: Authentication Bypass / Brute Force CVSS Score: 8.1 (HIGH) Affected Users: ~500,000+ registered users Status: Responsibly disclosed, awaiting vendor response

<aside> 📌

At a glance

</aside>

<aside> 🔥

Risk

</aside>



The Vulnerability

Technical Summary

The OTP verification endpoint at https://login-otp.bestseller.com/login/verifyotp accepts 4-digit numeric codes without implementing critical security controls:

With only 10,000 possible combinations (0000-9999), an attacker could brute-force the correct OTP within minutes using automated scripts.

Vulnerability Classification