This is Vibhurushi Chotaliya. I hope you guys are doing well…Today I want to share my recent finding on Bugcrowd Private Program.
I found a 2FA Bypass. How??
Below is the Application behaviour that will help us to bypass 2FA.
Application Logic 1:
- In one browser user session was active.
- From different browser tries to forget the password for that user.
- Got the reset link, which was holding the same reset token as the current user session token. means reset token and session token was the same.
- Strange Right!!
Application Logic 2:
- After the password reset, the user will be redirected to the account like the user doesn't have to log in again.
Application Logic 3:
- Once the user does log in, it will generate one session token. then it will redirect to the 2FA.
- With successful 2fa another 2fa_token will generate.
- Let's say the attacker holds the credentials of the victim.
- Then attacker will do the login and the application will ask for 2fa.
- Now the attacker is holding one session token.
- In a different browser, attacker will use the same session token for a password reset. and the link would be like….Check Application Logic 1
https://www.example.com/preset?resettoken=[value of current session]
- The attacker will reset the password and get redirected to the account without being asked of 2fa….. Check Application Logic 2