Also Read – Server-Side Request Forgery (SSRF) allows internal ports scanning
Hi everyone, I am socalledhacker, i am a security researcher , penetration tester, certified ethical hacker and a web3 noob. In past months, I have discover lots of bugs but in today’s article we are going to discuss about 2FA disabled without password and OTP by response manipulation, which i discover recently so without further delay let’s start….
2FA disabled without password and OTP by response manipulation.
Few days ago, i was hunting on a self hosted program in which i was playing with 2FA functionality, i tried lot’s of ways to bypass 2FA that are possibly available on internet and also in different medium articles but i got nothing then i started playing with response manipulation, I copy response of previous 2FA disable request and changed it with current 2FA response and boom 2FA disable massage pops up on the screen.
That’s easy right? but NOOO, when i refresh the page the 2FA is not disabled, I was tired as i tried every possible ways to bypass it and i changed my target.
After 3 days I thought let’s play with that 2FA little bit more and opened that program and fire up my burpsuite, and started response manipulation but this time i also manipulated response of password, when we try to disable 2FA then the website ask for password first and then OTP was sent to mobile number and after that 2FA is disable.
This time i use a little bit unique way to bypass password and 2FA, first i manipulated the response of password and the password was bypassed then it asked for OTP to disable 2FA but the password bypass and everything is in the client side, so no OTP was sent to victim number and it asked for OTP so i pasted the previous 2FA disable response and 2FA disable successfully massage pops up on the screen.
Now it’s time to do little bit more hacking so i tried to setup/enable the 2FA on attacker number so i put my number as attacker number and OTP sent on attacker number at the same time the website automatically logs out and when i tried to log back in 2FA was disabled successfully. 😎
So let’s see the POC like always…
Description:- I discovered a critical vulnerability where Two-Factor Authentication (2FA) can be disabled without requiring a user’s password or One-Time Password (OTP). By manipulating the server response during the 2FA disablement process, I was able to bypass authentication checks and disable 2FA for any user account.
Steps to reproduce:-
1. Login to your account and enable 2FA using a phone number or authenticator app.
2. Now, click on disable 2FA and enter the wrong password and capture the request in burpsuite
3. Do intercept response of this request and change it to 200 OK and form body of this response clear all error and change it to SUCCESS
4. Now you see that password is bypassed and it will ask for OTP.
5. Put wrong OTP and capture request in burpsuite again and do intercept response to this request
6. Change response to 200 OK and body to SUCCESS as like previous step.
7. Now, 2FA is successfully disabled without password and OTP.
8. We see that 2FA is disabled successfully, Now don’t refresh the page.
9. Now click on enable 2FA and put a different/attacker mobile number to activate 2FA of the victim account on the attacker number.
10. When we put an attacker number then OTP is sent on the attacker number and at the same time, the website automatically logout and when we try to login again at this time 2FA is disabled and we can login again with only a password.
Impact:- This vulnerability allows an attacker to disable 2FA for any user account by manipulating the response during the 2FA disablement process. The lack of proper verification can lead to severe security risks, including:
1. Full Account Takeover:- Disabling 2FA opens the door for attackers to easily take over user accounts without additional verification.
2. Loss of Sensitive Data:- Once 2FA is disabled, the account becomes vulnerable to unauthorized access, which may lead to the exposure of personal, financial, or sensitive information.
3. Loss of User Trust:- Users rely on 2FA as an additional layer of security. The ability to disable it without the proper checks could significantly damage user trust in the platform’s security.
That’s it for this article I will upload more articles related to web2 bugs covering all p4 to p1 bugs in near future so stay tuned… 🙂
Buy Me a Coffee : https://buymeacoffee.com/socalledhacker
Follow Me On :
State bank its ammo complement was trying to