2FA Misconfiguration leads to adding any number as 2FA verification.
I was testing 2FA on a website. At first, I tried to bypass 2FA but I was not successful, then I thought of something else. What if I can add anyone’s phone number as 2FA?
At first, I entered my phone number, then waited for the 2FA code to arrive. When the code arrived I entered a valid code then capture the request with Burpsuite. Then forward that request to Repeater to get its valid success response.
I got the response for a successful 2FA request.
Now, I again tried to add any random phone number and when it ask for a verification code I entered a random 6 digits code.
Then capture the request with Burpsuite alongside its response.
When I got its response I changed it to a valid response which I have in my Repeater tab then forwarded the request.
To my surprise, I was able to add anyone’s phone number as a 2FA verification.
So to summarize[Steps to reproduce]
1. Enter your number
2. Enter valid code and capture it using Burpsuite.
3. Forward the request to Repeater and get its valid response.
4. Now, add another anyone’s number.
5. Enter a random 6 digits code and Capture its request with a response.
6. Paste the old valid response.
7. Now you can see your number has been updated.
I reported this to that company but turns out it was already reported by another researcher, so it was duplicate.
Follow me on Twitter:- @BinamraPandey
Do Follow Techiepedia for more Interesting write-ups!