How I bypassed Two-Factor Authentication with 3 different methods on the same target
Hey Guys, I hope you are doing well, Happy to write my Second article in Medium ♥
Summary:
This is the story of how I was able to bypass 2FA on a private bug bounty program THREE Times with 3 different methods.
Vulnerability Type: Improper Authentication - Generic
Severity: Medium
Bounty: 300$
Description
Hi again, I hope this write-up helps you learn something new and apply it to your bug-hunting techniques, I will discuss 3 methods to bypass Two-Factor authentication.
1- Bypass 2FA via the insecure design:
Insecure design: vulnerabilities arise when developers, QA, and/or security teams fail to anticipate and evaluate threats during the code design phase. These vulnerabilities are also a consequence of the non-adherence of security best practices while designing an application. As the threat landscape evolves, mitigating design vulnerabilities requires consistent threat modeling to prevent known attack methods. Without a secure design, it is difficult to detect and remediate architectural flaws
Exactly as you read in the previous sentence “These vulnerabilities are also a consequence of the non-adherence of security best practices while designing an application”, so in this method after creating the account and enabling 2fa (SMS), to see how 2FA works and see if there is insecure design or no,
After logging in again with my email and password, the website redirected me to the Two-Factor Authentication page with adding number field to receive the (SMS) code,
In this step I asked myself what happen if I just accessed my dashboard directly, this mean I will just delete the login?redirect=%2F
in the URL
https://my-snaphot.redacted.io/login?redirct=%2Fwelcome ==> https://my-snaphot.redacted.io/welcome and click Enter
Yes It Works the website redirected me to the /welcome page in my account, Yup it’s really easy as I said this is an easy one:)
2- Bypass 2FA via abusing React frameworks:
I Think The problem Here with the React Framework is, Compared to the server side, the client side is exposed to multiple actions performed by users. That’s why client-side authentication and authorization often fall victim to security flaws. More The most common React.js cyberattacks
Now we are in step 2 Two-Factor authentication page, let’s bypass 2FA with just the Developer tool 😂 ,
in any application built with React framework, I always see what is in the local storage and if stored data is in it or not can I change this data or not.
Just as I expected I found skeletor-snapshot
contained information about the user and 2fa
So I tried to change “twoFactor”:true ==> “twoFactor”:false and just refresh the page
Again it’s work and redirected me to my account 💯.
3- Bypass 2FA via Reusable Response:
This method is very weird to me you will know in the end why, I will jump to steps to reproduce directly
- log in to your account and enable 2fa(SMS)
- Logout and Login again notice SMS verification is asked Enter the correct SMS
- Intercept request and capture the Successful response and save it
- Then Logout
- login again but Enter incorrect OTP (Wrong Code)
- Intercept request and change the response with the correct code response
- BOOOM it’s worked
The fact of the matter is that I was expecting this to work, but what comes is weird
The weird thing is that if I used my successful response in any different account this will succeed to
The Response does not necessarily belong to the same user, The bypass Will Succeed With any response from another user,
TIPS:-
- For any website using React framework try Method Two.
Thanks for reading I will be posting more writeups and bug bounty tips Here and on my LinkedIn: https://www.linkedin.com/in/muhammad-elgllad/