Bypass 2FA like a Boss

infosecwriteups.com · kh4sh3i/bug-bounty-writeups · 15 hours ago · bug-bounty
quality 5/10 · average
0 net
AI Summary

Researcher bypassed 2FA on www.domain.com by intercepting the login request with Burp Suite, changing the Host header to beta.domain.com (a parallel subdomain without 2FA enforcement), and submitting an arbitrary code (000000) to successfully authenticate. The vulnerability stemmed from inconsistent 2FA implementation across subdomains, fixed within one day but without bounty payout.

Tags
2fa-bypass authentication-bypass host-header-injection subdomain-misconfiguration bug-bounty bragging-post
Entities
Seqrity InfoSec Write-ups
Bypass 2FA like a Boss | by Seqrity | in InfoSec Write-ups - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Bypass 2FA like a Boss Hi, I'm seqrity=security 😉 (q==cu) Seqrity Follow InfoSec Write-ups · ~2 min read · June 20, 2020 (Updated: December 15, 2021) · Free: Yes Hi, This write-up is about a program that is public but Disclosure policy is enabled on this program so we assume the domain is: domain.com In the recon process, I've found that there are two websites that are the same : www.domain.com beta.domain.com 2FA was enabled on www.domain.com and when you create an account on this domain you can login on beta.domain.com without entering the 2FA code. By default, the 2FA was disabled. So, I've decided trying bypass 2FA and enabling it on www.domain.com . After entering the username and password you should enter 6 characters (digit and chars) and after 5 minutes the code will be expired. Therefore brute force doesn't work here. Open Burp and intercept request after entering a password and change Host header to- beta.domain.com Enter 000000 in twofactorcode field And forward request, BOOOM. I had a successful login to www.domain.com without entering the correct code. Report: 14 May 2020 Fixed: 15 May 2020 First Response: 19 May 2020 Bounty: NO, They didn't pay bounty and said our developers fix that before reviewing your report!!! I've asked how are you sure that Program review report after your triagers? Do you have any monitoring system for these situations? I want to know about Program reasons and evidence. It's their responses Support team Responses: My Twitter: https://twitter.com/seqrity9 #writeup #bug-bounty #security #infosec Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories