2FA bypass that made me $______
Hey Everyone!
After my recent blog, I felt like writing again and here we are! I will keep it as simple as possible but technical
What is a 2FA bypass?
A second layer protection or 2 Factor Authentication bypass is a technique or an Attack used to bypass(skip) this layer of security. A 2FA bypass is often achieved by chaining an existing vulnerability. For example:
HTTP Response Manipulation leads to 2FA Bypass
IDOR on user_id for Disable 2FA leads to 2FA bypass
In our case, lack of CSRF protection on sensitive functionality like disabling 2FA.
What is CSRF?
A Cross-Site Request forgery is an attack where a threat actor carefully forges a malicious HTTP request to trick his victims into performing an action they do not intend to do.
So now that we have the basics covered, let’s get into the vulnerability. While performing testing of a web application, I noticed it had a 2FA functionality. This is one of my favorite functionalities to test as you can get very creative and interesting bugs.
The general flow of turning 2FA on for an account is:
- Initiate the 2FA On function on the web application.
- Download the recommended app by the web application on your device.
- Scan the Secret QR code on the app.
- Enter the 6 digit code generated by the app in the web application.
- Submit the request and you are done.
You have turned on the second layer of security for your account. What does this mean?
Now whenever you wish to perform a sensitive action on your account, you’ll be promoted by the web application to enter your 2FA code. Which regenerated every 30 seconds. So it can’t be brute forced and the code only works once. (This statement contains 2 conditions to test for)
So now that I had my 2FA on, I quickly signed out to find some bugs on the Login like Response manipulation, Forced directory browsing, and Forget password, but I had no luck finding anything to bypass the functionality. So then I decided to bypass 2FA post login so you have two different endpoints to test for pre- and post-login.
Once I was logged in, I decided to look for Clickjacking on Delete user or Disable 2FA but it was all secured. I then decided to look for IDOR and I captured the disable 2FA request and to my surprise, there was no protection applied to the functionality. The server did not prompt for a 2FA code or a password and it was a simple GET request that called the API to disable the second layer protection.
GET /api/v1/mfaturnoff HTTP/1.1
Host: staging.example.com
Cookie: some imp cookies
User-Agent: broswer
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: https://example.com
As soon as I noticed the request, CSRF popped into my mind and I generated a PoC using Burp Suite.
Once my PoC was generated, I saved it under CSRF.html, made a new account on a different browser… turned on my 2FA… opened my CSRF PoC, and submitted my request. The server responded with,
I had successfully disabled a user’s 2FA without them realizing it. To serve my malicious request, there were other vulnerabilities in the web application like missing DMARC records, that allowed me to send an email to a user with a link to my server that served this malicious HTTP request using company email like support@example.com.
As there were no parameters involved, the PoC could be used for mass exploitation.
So how much did I get paid for this bug?
The company kept stalling for weeks and in the end, stopped replying altogether. I had fun finding it and writing about it.