Critical Account Takeover (MFA + Auth Bypass) due to Cookie Misconfiguration

Hello Folks,

This write-up is about an account takeover bug that I found on a public bug bounty program.

As an attacker I was able to easily bypass the authentication & MFA mechanism implemented in the application.

For obvious reasons I won't be disclosing the target name. Let’s assume that the domain name is “target.com”. In order to access the application, we need to login via “sso.target.com/v2/login”.

The application asked for the username. After submitting the username, it redirected to “sso.target.com/v2/login/options”. Here the application prompted to enter the password. I entered the wrong password and clicked on login. The application sent a POST request with the credentials in the body. I intercepted the response using proxy tool which was 302 & the application redirected to following URL “GET /v2/login?failed”.

Now I replaced the request with “POST /v2/mfalogin/enrolled” & forwarded it.

The application successfully logged in without the credentials or MFA code.

The application was already assigning a valid cookie while entering the username & the MFA enrollment URL was not being validated.

The company accepted this as CRITICAL vulnerability since a victim’s account could be accessed without any authentication or MFA code.

Have a good day!! Keep hacking….😃

Disclaimer: For educational purpose only please do not try for illegal activities.