Stripe’s Two-Factor Authentication (2FA) Bypass

11 months ago 56

Hello Everyone,

Two-factor authentication (2FA) is a particular kind of multi-factor authentication (MFA) that increases access security by requiring two ways (also known as authentication factors) to confirm your identity.
A smartphone app that you have and something you know, such as a login and password, can both be used as authentication factors.

By securing your logins from intruders using stolen or weak credentials, 2FA safeguards you from phishing, social engineering, and password brute-force attacks.

Two-factor authentication (2FA) secures your online accounts by requesting a verification code after you sign in with your email address and password.When attempting to reset a password, a user must enter a verification code if 2FA is enabled.
As an attacker, I can able to bypass 2FA using Response Manipulation.

The stripe web application’s 2FA implementation has the vulnerability.
The system invites users to provide their username, password, and a 2FA code that is sent to their registered email address or mobile device when they attempt to log into their accounts.
But, I discovered throughout my testing that it is feasible to get around the 2FA by changing the request parameters.

An attacker can easily intercept the login request and manipulating the “2FA code” parameter from it in order to get around the 2FA.
A tool like Burp Suite can be used to accomplish this quickly.
The login request can be sent to the server after Manipulating the response, and it will provide access to the user’s account without the 2FA code.

Navigate to and Enter the email address associated with your account.Request a password reset link.Open the reset link and enter new password.Then you need to enter 2FA code for resetting the password.Enter random code and take request on burpsuite.

Do intercept → Response to this request


6. change 401 Unauthorized to 200 OK and remove the error message.

modified request

7. 2FA was bypassed and the password changed.

password changed

Stripe’s security team has now fixed the vulnerability.

Two factor authentication is another layer of protection. Even if a user leaked email address and password, a user will be protected by additional security(2FA). If an attacker hacked victim’s email, an attacker will be able to take over stripe’s 2FA enabled account by manipulating response 2FA code on password reset page.

Happy Hacking.

Read Entire Article