How I discovered 2FA bypass leading to potential ATO lead funds loss in a web3

Hello

Today I will show you how I discovered and escalated it to a potential ATO leading to fund loss

So, Let’s get started

first I visited my target let say example.com which has a login type with Oauth token and through email & password so I created my account using mail & password after the successful signup. I complete my 2FA process and activate it

after some testing, I didn’t get any Account related bugs,But wait I have to test the 2FA so I started testing him and ended up with nothing but the Oauth login rest so I tested it

here I click on Google Oauth to log in and *Boom*

I tested logging in via Google OAuth and noticed something alarming — no 2FA code was required! I was able to log into my account without needing to provide the 2FA code. This was a major security issue.

I knew this issue could potentially be significant, but at first glance, it seemed like a P4 or P3 severity issue at best. To escalate it, I reached out to a Discord group I had collaborated with on previous reports. After discussing the situation, we explored how to increase the bug’s priority.

we (the discord team and me ) managed to figure out some users due to third-party data storethen we visited to https://www.proxynova.com/tools/comb#google_vignette to get their Gmail and password so we could log in/signup into Chrome and takeover their accounts by luck we got 50–60 Accounts in the data breach from all sitesAfter that, I submitted the report as critical because the attack scenario will be like this

> After getting the user’s Gmail and password we could you easily login into Chrome and then use Oauth to sign on the site and then steal the funds of users

So, I rapidly reported the issue

Unfortunately, the report was marked Out of Scope (OOS) because the exploit was limited to a small number of users affected by the third-party breach. However, I still received a small bounty of $100 due to the attack scenario my Discord team helped establish.

Hope you enjoy the article

connect me on social media: https://linktr.ee/jeetpal2007

Discord team:https://discord.gg/Y467qAFM4X