IDOR leads to 2fa Bypass

4 months ago 21

Arth Bajpai

Hello Everyone my name is Arth Bajpai and , I’m back with my another writeup

just finished my trip so wanted to share my next writeup about a very cool 2fa Bypass , I found using IDOR,

So I Received a invitation for a Private program on bugcrowd let’s say Redacted. com

It had so many features including ability to create groups add Users, and so many other features, and I love to test website with ability to create groups as it opens a big window for vulnerabilities .

So initially I tested for bugs like HTML , XSS, CSRF, IDOR everything , didn’t find much success sadly.

I noticed it’s there testing domain and not the main domain so few functionalities were not working properly, So it reduced my testing alot.

Later I noticed they have a 2fa function , Itried 2fa bypass by response manipulations and with few other methods, weak 2fa implementation etc but didn’t find any success, So I left that function and left that site after reporting few low hanging fruits.

After few days I again tried to give it a ago abut again no success other then few more low hanging fruits.

After a week I thought about giving it another go and noticed they have a function of removing 2fa using secret code if you don’t have access to your google authenticator, the secret code was bit long probably 8–9 digit long so I didn’t payed much attentions towards it, but my habit is to copy everything or take a request on burp repeater of everything possible so that I can compare it or play it with later, So I Copied the secret code on burp and it’s request as well

Now When I Enabled 2fa on 2nd account to look for any possible 2fa bypass using IDOR or CSRF , I was surprised that the code was in sequential order.

I got excited and tried changing the secret key and account ID to find a IDOR via 2fa bypass but sadly it didn’t worked as it was properly validating the ID

But atleast it was a start I knew that I could find something interesting there

So I started digging deeper into it, So website had login using multiple methods, So when you login using magic link or email password it asks you to enter 2fa code to get access to it

So I logged in using magic link and it asked me to enter 2fa code , there I noticed a option of “RESET 2FA” , I immediately clicked on it and it asked me to enter the Secret Key there, I entered the correct key there but it showed me error, I was like What’s going on here, So I again entered the 2fa code and took request on burp,

Now comes the Interesting part, it had 2 Parameters only

“email”:”user_email” , “RecoveryKey”:”123456789"

So the reason it was giving error because it was not able to self pick the email in email parameter through login details, as I was login using magic link .

I got excited again as I got a feeling that here that IDOR could work, I immediately entered the victim email and Recovery Key and “BOOM” the 2fa of victim was removed successfully

I Reported it immediately 2fa bypass is P3 in bugcrowd and here I was deleting the 2fa using IDOR, so it should have been P2 (High ) Severity

but due to some reason marked it was traiged in P3 after multiple comments, I though OK no problem,

Few days after company replied internally they want to accept it in P4 , Well I can’t mention there reasons due to no disclosure policy :) but definitely their reasons were not satisfactory.

But still it was a vulnerability which I would like to share about,

Hopefully you guys like my writeup

Don’t Forget to follow me on twitter: https://twitter.com/arth_bajpai and on linked In :- https://www.linkedin.com/in/arth-bajpai-6699681b3/

See you in my next writeup next week till then bye bye take care

:)

Read Entire Article