Bypass 2FA in a website

01.01.2020

Hii hunters ! I’m again with another story. I love 2FA, not because it provide extra security. Because of satisfaction to bypass them. Stay tuned with me because I’ll post more story on 2FA bypass. Enjoy the story !!

It was first day of 2020. I found a way to bypass 2fa in a website. I was randomly searching bug bounty program with GHDB. And found a domain that is allowing users to enable 2fa with google authentication app. Challenge accepted…

First I tried in login page. Tries every possible way but didn’t get any success. Then I thought lets look at the forget password page, I Entered my email ID and and clicked on ‘forgot password’ . After few seconds I got an email that looks like this: https://app.domain .io/reset/645hNr78tr5410HgG6yvYZtk2Y45lki7/

I visited the url and entered a new password. After clicking submit, a new window opened that asking me 2FA code. So I first tried with response manipulation. But didn’t work.

Then I looked at the request to see what was going on with my 2fa code. That was a POST request and in the body I found ‘reset_key’, ‘_csrf’, ‘email’, ‘password’ and ‘token’ parameters. ‘token’ is my 2FA code.

I deleted token parameter and it’s value. Then I forwarded the request. And BOOM… I was redirected in my account with a notification : “Password successfully changed” . I was like…

Thank you for your time. Hope you enjoyed this story. Happy Hunting.!!