Pre-Denial Of Service (set-up 2FA on unverified account)

This is my first write-up , I’ll try to keep it short and simple.

Here I will explain how I was able to setup 2FA on a unverified account which results denial of service for real user of that email. (Assuming victim has not registered his account yet)

The setup flow was:

Without verifying email, you cant setup 2FA as per security standards. I successfully bypassed this restriction and was able to setup 2FA without verifying email.

The website was using websocket. On setting up 2FA on a verified account, the first websocket request looked like this:

[“{\”msg\”:\”method\”,\”method\”:\”2fa/generateMFA\”,\”params\”:[],\”id\”:\”XXXX\”}”]

Then,

[“{\”msg\”:\”method\”,\”method\”:\”2fa/getSecretKey\”,\”params\”: [],\”id\”:\”XXXX\”}”]

This in response returned a secret key which is used in authenticator app to setup 2FA, So I thought to try sending above request from an unverified account.

I logged in to victim’s account , sent this request

[“{\”msg\”:\”method\”,\”method\”:\”mfa/getSecretKey\”,\”params\”:[],\”id\”:\”24\”}”]

Unfortunately I got “The account is not verified” in response. Then after some hit and trial, I noticed that the first request of setting up 2FA was this one i.e. [“{\”msg\”:\”method\”,\”method\”:\”mfa/generateMFA\”,\”params\”:[],\”id\”:\”XXXX\”}”]

So again the sent this request from victim’s account, and got a blank response.

Again I tried sending [“{\”msg\”:\”method\”,\”method\”:\”mfa/getSecretKey\”,\”params\”:[],\”id\”:\”24\”}”]

This time I successfully got secret key in response. It was like 10–12 character long.

I opened Google Authenticator and quickly setup 2FA using that secret code and it was successful.

This way I was able to setup 2FA on a unverified account which blocks the real user of that email from accessing the website in future.

Timeline:

Thanks for reading.