A critical authentication vulnerability discovered in Jack & Jones India's e-commerce platform, allowing unauthorized account access through OTP brute force attacks.
<aside> ⚠️
Critical Vulnerability: CVSS 8.1 (HIGH) - Authentication Bypass via OTP Brute Force
</aside>
During a manual security assessment of the Jack & Jones India website (www.jackjones.in) in July 2025, I discovered a critical vulnerability in their OTP verification mechanism. The absence of rate-limiting protections allowed brute-force attacks on 4-digit OTP codes, potentially enabling unauthorized access to user accounts.
Target: Jack & Jones India (https://www.jackjones.in) Discovery Date: July 26, 2025 Vulnerability Type: Authentication Bypass / Brute Force CVSS Score: 8.1 (HIGH) Affected Users: ~500,000+ registered users Status: Responsibly disclosed, awaiting vendor response
<aside> 📌
At a glance
</aside>
<aside> 🔥
Risk
</aside>
The OTP verification endpoint at https://login-otp.bestseller.com/login/verifyotp accepts 4-digit numeric codes without implementing critical security controls:
With only 10,000 possible combinations (0000-9999), an attacker could brute-force the correct OTP within minutes using automated scripts.