How I Got Second Swag Found [ Previously Created Sessions Continue Being Valid After 2FA activation ]

Hello Hackers!!

Hope you all are great.

This is my third write-up on how i discovered [ Previously Created Sessions Continue Being Valid After 2FA activation ]

If you have not gone through my first one, so do check it out here:

https://medium.com/@yashkushwah381/how-i-get-bounty-for-discovering-information-disclosure-via-github-repository-3dc3c87ebb52.

If you have not gone through my Second one, so do check it out here:

https://medium.com/@cyberyash/how-i-got-swag-found-logical-bug-enabling-2fa-without-verifying-email-307b7dc46ccb

The third write-up about vulnerability is [ Previously Created Sessions Continue Being Valid After 2FA activation ]

Get Started…..

(Read Full Write-Up)

What is 2FA

2FA stands for Two-Factor Authentication, also known as multi-factor authentication (MFA). It is a security mechanism that adds an extra layer of protection to user accounts and systems by requiring two or more separate methods of authentication to verify a user’s identity.

Understanding the Bug:

When users enable 2FA on their accounts, it is expected that all previously authenticated sessions should be invalidated, and users should be prompted to reauthenticate with their second factor. However, in our application, the old sessions created before 2FA activation persist, and users are not automatically logged out from their previous sessions. This issue undermines the security benefits of 2FA, as attackers can continue accessing user accounts with just the password and without going through the additional authentication layer.

Exploitation Scenario:

1. Access the same account on https://Target.com in two devices
2. On device ‘A’ go to https://Target.com/security complete all steps to activate the 2FA system
3. Now the 2FA is activated for this account
4. Back to device ‘B’ reload the page Observe that the application does not invalidate the previous session

Boooom!

I submitted my report through the bug bounty program’s designated platform, ensuring that all required information was provided.

Impact:

The bug poses a severe security risk, as it undermines the purpose of 2FA, which is to add an additional layer of security to user accounts. By failing to invalidate old sessions, attackers with access to the user’s credentials can still gain unauthorized access to the account even after 2FA is enabled.

I reported it on 3rd of june and they replied me after two weeks.

We are not currently able to pay for bugs due to accounting reasona, but we would like to say thank you. If you could let me know a shipping address and your t-shirt size, we will send some swag your way.

Conclusion:

The security vulnerability where old sessions do not expire after enabling 2FA exposes users to significant risks and undermines the very purpose of 2FA. Addressing this issue promptly and transparently is crucial to maintaining user trust and ensuring the security and privacy of online accounts.

cyberyash! :)

Connect with me:

Linkdin:

https://www.linkedin.com/in/yash-kushwah-a80449229/

Instagram:

https://www.instagram.com/cyberyash951/?hl=en

HAPPY HACKING :)