BOOK THIS SPACE FOR AD
ARTICLE ADHola Amigos,
This is a write-up explaining how I was able to bypass 2FA via OAuth linking on a popular private bug bounty program.
In this case, the application had Facebook, Apple & Google logins. So, I created a normal account with the email say victim@gmail.com & activated 2FA in it.
Now, I tried to authenticate into the application via Facebook. I entered the credentials of my Facebook account & the privacy option showed up where you can choose whether or not to share name, profile pic & email id from Facebook.
I chose not to share the email id as I was checking for an account takeover bug.
Then, the applicaiton asked me to enter the email id. I entered the email id of the victim created earlier with the email victim@gmail.com.
But this did not give me direct access to the account as it would happen if an account takeover bug existed. Instead, it prompted for the password.
I entered the victim’s password & hit login.
Here the application should prompt for 2FA code as 2FA was enabled in victim@gmail.com account.
But instead, it gave me access to the victim’s account as there was no 2FA check implemented.
The company accepted it as High severity bug.
Hope you guys learnt something new from this. 🙂
Have a good day!! Keep hacking…. 😃
Disclaimer: This blog is for educational purpose only. Please do not engage in unauthorized testing.