.png)
11 months ago
57 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello All,
This write-up is about a 2FA bypass which was found in a private program on HackerOne. A few months ago, this company had newly implemented 2FA feature in their application.
Summary:
I immediately started testing it since it was a new feature. Surprisingly I was able to bypass the 2FA. The cookie received during the 2FA verification process could access the internal edit profile page of the account. Here an attacker could easily change the email id or phone number to permanently take over the account. I reported this to the program as soon as I found it. The next day it was marked as duplicate as some other researcher had submitted the same issue before me.
Since the program was running a promotion for 2FA related bugs I decided to test further to see if there are any other flaws. As I was exploring the application, I noticed that they had an APK version of it. This was not explicitly mentioned in the program scope, but I decided to take a look at it anyway. I installed the APK and tried logging in with a 2FA enabled account. The application logged in successfully without prompting for the 2FA code. Thus 2 factor authentication was bypassed. I immediately checked the request in burp and found that the domain was in scope. So I reported this to the program ASAP.
Root Cause:
At first I thought that the developers had not implemented 2FA in their APK. So, I decided to compare the requests from Web App & APK (as both domains were different but in scope) to find the root cause. I realized that the APK request had an extra parameter UKAppMode=true; passed in cookie which led to the 2FA bypass.
If this parameter was added to Web App request, we could bypass 2FA there as well.
This was triaged as HIGH severity bug.
Hope you all enjoyed reading this.
Have a good day!! 😃
Disclaimer: For educational purpose only please do not try for malicious or unauthorized actions.
Bengali (Bangladesh) · 
English (United States) ·