Endpoint confusion lead to 2FA bypass

So let’s start:

The story began with a BBP that I was hunting on it for a while and I noticed that it have new feature which is 2FA, so I test it with all the popular techniques I know but nothing works

It was an educational platform, the scope was some subdomains every one have different user type (Teacher-Student-Parent)

So there was teacher.example.com for teachers and parent.example.com for parents, And all those users types can social with each other like in teacher.example.com teacher can send messages to parents, get students assignments, write exam and all those things

The 2FA features was available for all subdomains, When you enable 2FA in teach.example.com and login a request sent to /api/login with username and password, then a 401 response with a message to enter OTP code sent to your email and when enter it return user data and session, the same for all subdomains

But when you sign up it sent request to /api/[user-type], this was not same in all subdomain so teacher sign up request sent to /api/teacher and parent request sent to /api/parent with different input parameters specific for each user type, the only two parameters were the same for all subdomains was email and password

So I asked myself a question, what if I sign up in parent.example.com with teacher email address ?

So now let’s assume that there is a victim which is a registered teacher and i know his email and password but can’t access his email to entet the OTP and bypass the 2FA

So i go to parent signup page on parent.exmaple.com and in the front-end there was one input field for email, So when i enter already victim teacher email it redirect me to teach.example.com but when i enter parent registered email it redirect me to login page , and if enter random unregistered email in platform it show other input fields like firstname, lastname, password

So to bypass the redirection i enter random email to show other fields then random password and other things like first name and last name then click signup then intercept the signup request to /api/parent then sent it to repeater

In repeater i changed email parameter to the victim teacher email and sent the request and got error message saying that email already registered, But when i changed the random password to victim teacher password i got 200 ok response with all victim data and session

So i immediately add match and replace rule to replace cookies with the cookies i got from this repsonse and go to teach.example.com and successfully access victim account withotut 2FA

There was 2 issues here:

1- /api/parent is signup endpoint should not used to login teachers if correct email and password sent to it, the endpoint for login for all user types suppose to be /api/login (this what make me choose the title endpoint confusion)

2- Also the /api/parent endpoint was not check if this account enabled 2FA or not and was not asking for any OTP code not like /api/login

Also the same bug was exist when I try to attack victim parent , i go to teach.example.com and do the same thing i did with /api/parent endpoint but this time was with /api/teacher endpoint

So here how I was able to bypass 2FA for all user types in this platform !

Thanks for reading