2FA bypass that made me $______

Hey Everyone!

After my recent blog, I felt like writing again and here we are! I will keep it as simple as possible but technical

What is a 2FA bypass?

A second layer protection or 2 Factor Authentication bypass is a technique or an Attack used to bypass(skip) this layer of security. A 2FA bypass is often achieved by chaining an existing vulnerability. For example:

HTTP Response Manipulation leads to 2FA Bypass

IDOR on user_id for Disable 2FA leads to 2FA bypass

In our case, lack of CSRF protection on sensitive functionality like disabling 2FA.

What is CSRF?

A Cross-Site Request forgery is an attack where a threat actor carefully forges a malicious HTTP request to trick his victims into performing an action they do not intend to do.

So now that we have the basics covered, let’s get into the vulnerability. While performing testing of a web application, I noticed it had a 2FA functionality. This is one of my favorite functionalities to test as you can get very creative and interesting bugs. So I quickly set it up, you know the drill… pull the phone out… enter the secret… enter the code, and it’s all done.

So now that I had my 2FA on, I quickly signed out to find some bugs on the Login like Response manipulation, Forced directory browsing, and Forget password, but I had no luck finding anything to bypass the functionality. So then I decided to bypass 2FA post login so you have two different endpoints to test for pre- and post-login.

Once I was logged in, I decided to look for Clickjacking on Delete user or Disable 2FA but it was all secured. I then decided to look for IDOR and I captured the disable 2FA request and to my surprise, there was no protection applied to the functionality. The server did not prompt for a 2FA code or a password and it was a simple GET request that called the API to disable the second layer protection.

GET /api/v1/mfaturnoff HTTP/1.1
Host: staging.example.com
Cookie: some imp cookies
User-Agent: broswer
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: https://example.com

As soon as I noticed the request, CSRF popped into my mind and I generated a PoC using Burp Suite.

Once my PoC was generated, I saved it under CSRF.html, made a new account on a different browser… turned on my 2FA… opened my CSRF PoC, and submitted my request. The server responded with,

I had successfully disabled a user’s 2FA without them realizing it. To serve my malicious request, there were other vulnerabilities in the web application like missing DMARC records, that allowed me to send an email to a user with a link to my server that served this malicious HTTP request.

As there were no parameters involved, the PoC could be used for mass exploitation.

So how much did I get paid for this bug?

The company kept stalling for weeks and in the end, stopped replying altogether. I had fun finding it and writing about it.