How I found 2FA bypass in a Private Program :)
With what is not expected, A happy end…
…………………………..….……..بسم الله الرحمن الرحيم ……………………………………
Hello Hackers, In this write up I will take you all in journey of exploring a strange behavior which lead to bypass 2FA.
The journey at our program start with two logic duplicates :( in the same domain, But when I was testing another domain an idea came to my mind why to not just seeking bug , But try to break what meant to be secure.
So I came back to the login functionality and start testing it a gain.
At the 2FA mechanism part: Frist I try to change the email to victim email , the code from another account, Response manipulation and more but they all failed .
So I try to understand the mechanism behind, After some testing here what I found:
- The token at the body of the request is like the identifier for the user not the email
- (user1) email with code of (user2) — > ERROR
So the scenario is :
What if use the token of User2 with code and email of User1 and Boom , I get in [2FA bypass]
Step to reproduce:
- Create two accounts [User1] -> (Attacker) [User2] -> (Victim) , And enable 2FA from the settings
- Login to User2 account and from the burp get the token [user2 you don’t have access to his email inbox]
3. Login to User1 account ,[you will receive the code of 2FA] put it in the code filed ,And while the burp interception is on, Click Continue
4. In the brup interception tap Edit the token of User1 to the token of User2 and click forward
5. Turn off the interception, you will find that you are logged in to User2 account
After all of this I got [not applicable] ,yes you heard it right
But after some comments [without hitting someone] the report reopened and after three days [Triaged] and [Reward]
This is all for now, See you in the next write-up!
