Hello Hunters!!!

This is Vibhurushi Chotaliya. I hope you guys are doing well…Today I want to share my recent finding on Bugcrowd Private Program.

I found a 2FA Bypass. How??

Below is the Application behaviour that will help us to bypass 2FA.

Application Logic 1:

  1. In one browser user session was active.
  2. From different browser tries to forget the password for that user.
  3. Got the reset link, which was holding the same reset token as the current user session token. means reset token and session token was the same.
  4. Strange Right!!

Application Logic 2:

  1. After the password reset, the user will be redirected to the account like the user doesn't have to log in again.

Application Logic 3:

  1. Once the user does log in, it will generate one session token. then it will redirect to the 2FA.
  2. With successful 2fa another 2fa_token will generate.

Attacker Scenario:

  1. Let's say the attacker holds the credentials of the victim.
  2. Then attacker will do the login and the application will ask for 2fa.
  3. Now the attacker is holding one session token.
  4. In a different browser, attacker will use the same session token for a password reset. and the link would be like….Check Application Logic 1
    https://www.example.com/preset?resettoken=[value of current session]
  5. The attacker will reset the password and get redirected to the account without being asked of 2fa….. Check Application Logic 2

Associate Security Engineer at Oracle + Bug Bounty Hunter