Hi readers, I am HEMANT SINGH MANRAL a bug hunter from India.
This is my first write up so forgive my mistakes.
I am not revealing the name of the website, we will be assuming it as example.com
Method used by example.com for 2fa:
->There were two option two implement 2fa:-
1) Authenticator App
2) YubiKey OTP
Nothing interesting yet, at least for me, but then i saw an option to add recovery method either by mail or phone number this thing was provided so that in case we are not able to use Authentication app code for 2fa than we can have an alternative.
so when we use this alternative option it sends a 6 digit string to our phone number, first thing which comes to mind is brute forcing, a 6 digit code, which was valid for long time, no rate limiting everything set what else we want but the problem was this 6 digit code was a STRING i.e. a combination of alphabets and number, brute forcing this would take too much time and would have been rejected.
So i decided to go for some other way,
it’s time for burpsuite to get into this…:)
The way i approached:
1) I intercepted the recovery code post request into burp suite, which was like
a interesting request , if you look at parameter “sendCodeTo” which by name tells for what purpose its being used, so i decided to test on this parameter
By using same phone number I checked whether this parameter value is changing for every new request or not, it was remaining constant…hmmm that was interesting.
I changed my recovery phone number, captured the request for getting 2fa code to my device, again the same request with different value of parameter “sendCodeTo”
so above two try concluded that each phone number is being assigned a particular 7 digit value which is used to identify the phone number.
-> ‘A’ as one account having recovery phone number as ‘a’ and ‘B’ as another account having recovery phone number as ‘b’.
-> Which means that ‘a’ is being assigned a unique id let it be 1234567
-> And ‘b’ is also being assigned a unique id let it be 8901234
2) I logged in with ‘A’ it asked for 2fa code i switched to alternative i.e. using phone number to get code
->captured the post request which was like
I changed the value of parameter “sendCodeTo” with the unique code assigned to ‘b’
so now the post request was like
Forwarded this, waited for a while but i didn’t get any code on ‘b’.
3) Now i changed phone number for account ‘A’ i.e. ‘a’ to some another phone number assume it to be ‘c’ and let unique id assigned to it be 5423147
So now scenario is like:
Account ‘A’ with phone number ‘c’(i.e. 5423147)
Account ‘B’ with phone number ‘b’(i.e. 8901234)
And.. ‘a’ is still having unique id 1234567
Now assume ‘B’ to be victims account and ‘A’ as attackers account
4) i logged in with account ‘B’ ->for 2fa used phone number->captured the request which was like:
5) I Changed the value of parameter “sendCodeTo” 1234567, now the request was like
6) forwarded this request and yes i got 2fa code on ‘a’ which was previously used by ‘A’ i.e. on attackers old number.
1. I reported this bug on 15th September.
2. I got their reply that they have successfully reproduced the issue on 17th September
3. Company rewarded me with 250$ on 12th October
Looking forward to share more blogs
Hemant Singh Manral
You can reach out me at : www.linkedin.com/in/hemant-singh-manral-7a33a6174