BugBounty: How I Cracked 2FA (Two-Factor Authentication) with Simple Factor Brute-force !!! 😎
Today I would like to share how I was able to bypass OTP (One Time Password) login with a simple brute force attack on India’s biggest travel service provider. OTP is treated as an additional measure for security termed as 2FA. For those who don't know about, what is 2FA?
Two-factor authentication (2FA), sometimes referred to as two-step verification or dual factor authentication, is a security process in which the user provides two different authentication factors to verify themselves to better protect both the user’s credentials and the resources the user can access.
Generally, OTP is a combination of 4 digits starting from 0000 to 9999. If we count there 10,000 combinations. In the age of powerful computer 10,000 combinations take only a few minutes to process. If OTP verification is not properly managed, anyone can bypass this with a simple brute force.
Why I was able to bypass the 2FA?
No rate limiting on an unsuccessful attempt
No new OTP policy on X unsuccessful attempt
- Web Browser
- Burp Suite
Now let's see how I was able to bypass the 2FA with burp suite:-
Step 01: Logged into the website using the mobile number and entered the wrong OTP to intercept on burp suite
Step 02: Sending the verifyOTP API call to the intruder.
Step 03: Selecting the OTP placeholder and add it for simple brute force.
Step 04: Select the Payload tab, changed the payload type to Numbers and change the payload options as desired and clicked on the attack.
Step 05: As the brute force was in progress I could see length for one of the OTP value is changed from 617 to 2250. Lets check:
Step 06: Boom !!! I was able to get the login token and was able to log in.
Hence, The simple brute force was successful.