BugBounty: How I Cracked 2FA (Two-Factor Authentication) with Simple Factor Brute-force !!! 😎

Akash Agrawal
Nov 8, 2019 · 3 min read

Today I would like to share how I was able to bypass OTP (One Time Password) login with a simple brute force attack on India’s biggest travel service provider. OTP is treated as an additional measure for security termed as 2FA. For those who don't know about, what is 2FA?

Two-factor authentication (2FA), sometimes referred to as two-step verification or dual factor authentication, is a security process in which the user provides two different authentication factors to verify themselves to better protect both the user’s credentials and the resources the user can access.

Generally, OTP is a combination of 4 digits starting from 0000 to 9999. If we count there 10,000 combinations. In the age of powerful computer 10,000 combinations take only a few minutes to process. If OTP verification is not properly managed, anyone can bypass this with a simple brute force.

Why I was able to bypass the 2FA?

No rate limiting on an unsuccessful attempt
No new OTP policy on X unsuccessful attempt

Few prerequisites:

  1. Web Browser
  2. Burp Suite

Now let's see how I was able to bypass the 2FA with burp suite:-

Step 01: Logged into the website using the mobile number and entered the wrong OTP to intercept on burp suite

Image for post
Image for post
Pannel to enter the OTP received on the Mobile Number
Image for post
Image for post
Intercept the Verify OTP API call on Burp Suite

Step 02: Sending the verifyOTP API call to the intruder.

Image for post
Image for post
Image showing the Dialogue box to send intruder.
Image for post
Image for post
Intruder Screen Burp Suite

Step 03: Selecting the OTP placeholder and add it for simple brute force.

Image for post
Image for post
Intruder screen with OTP placeholder selected for brute force

Step 04: Select the Payload tab, changed the payload type to Numbers and change the payload options as desired and clicked on the attack.

Image for post
Image for post
Payload Screen: For setting payload desired options
Image for post
Image for post
Brute Force In Progress

Step 05: As the brute force was in progress I could see length for one of the OTP value is changed from 617 to 2250. Lets check:

Image for post
Image for post
OTP Response

Step 06: Boom !!! I was able to get the login token and was able to log in.

Image for post
Image for post
Details of successful login

Hence, The simple brute force was successful.

devopsenthusiasm

devopsenthusiasm

Akash Agrawal

Written by

A computer geek, lover of programming and learner is how I would simply define myself. To challenge myself in field in Computers and Cyber Security.

devopsenthusiasm

devopsenthusiasm

Akash Agrawal

Written by

A computer geek, lover of programming and learner is how I would simply define myself. To challenge myself in field in Computers and Cyber Security.

devopsenthusiasm

devopsenthusiasm

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store