How I Discovered 10 2FA Bypasses on a Single Program and Page
--
Before you read this article, you should read “How I Discovered More Than 100 Vulnerabilities on Just One Site? (zseano-challenge).”
Now, let’s discuss the 2FA bypasses I have discovered in this program, starting from the oldest and progressing to the most recent one.
2FA Bypass via Response Manipulation
Steps to Reproduce:
1. Open https://0xm5awy.com/account
2. Click on “Cancel”
3. Enter the number 000000, then intercept the request
4. Click on “Do Intercept” > “Intercept This Request”
5. In the response, change “HTTP/1.1 401 Unauthorized” to “HTTP/1.1 200 OK”
6. Change the status code from 401 to 200 in the response, and delete the message.
Disable 2FA without need to Enter the Verifictaion Code
Steps To Reproduce:
1. The victim navigates to a public space and accesses their account.
2. The victim inadvertently fails to log out after returning home, leaving their account vulnerable.
3. The attacker accesses: https://0xm5awy.com/account
4. The attacker clicks on “Disable 2FA,” prompting the system to request a Verification Code.
5. The attacker closes this page and employs the following endpoint:
Request:
```
DELETE /2fa/disable HTTP/1.1
Host: api.0xm5awy.com
[Additional Headers]
```
Response:
```
HTTP/1.1 204 No Content
[Response Headers]
```
6. Upon returning to the page, the 2FA will be disabled.
The parameter “twoFactorAuthCode” has been leaked. This code is used to enable or cancel 2FA.
Steps To Reproduce:
1. An unauthorized party gains access to the victim’s `twoFactorAuthCode` parameter on /api/@me.
2. The attacker navigates to the relevant endpoint to manage 2FA.
3. The attacker provides the leaked `twoFactorAuthCode` to the endpoint.
4. Depending on the attacker’s intent:
— To Disable 2FA: The attacker cancels the 2FA process.
— To Enable 2FA: The attacker initiates the 2FA setup.
It’s possible to bypass 2FA requirements on authenticate endpoint
Steps To Reproduce:
1. The attacker obtains the victim’s `Email` and `Password`.
2. The attacker attempts to log in at https://www.0xm5awy.com, but encounters 2FA protection.
3. The attacker discovers a way to retrieve the access code through the `/authenticate` endpoint.
Request:
```
POST /authenticate HTTP/1.1
Host: api.0xm5awy.com
[Headers]
{
“login”: “0xm5awy@gmail.com”,
“password”: “password”,
“trustedDevice”: “string”,
“ip”: “string”,
“check”: true
}
```
Response:
```
HTTP/1.1 200 OK
[Headers]
{
“token”: “eyJ0eXAiOi…”,
“refreshToken”: “97a9…”
}
```
4. With the obtained token, the attacker gains full control over the account, bypassing the 2FA protection
No Rate limit On Cancel the 2FA
Steps To Reproduce:
1. Open the victim’s account page: https://www.0xm5awy.com/account
2. Attempt to cancel 2FA and deliberately enter a wrong code.
3. Intercept the request:
Request:
```
POST /api/user/authenticate HTTP/1.1
Host: www.0xm5awy.com
[Other Headers]
{“authCode”:”485200",”method”:”email”,”username”:”0xm5awy@gmail.com”}
```
4. Send the request to the Intruder tool, then initiate the attack, sending test numbers (from 1000 to 10,000) as the `authCode` payload.
5. After the Intruder finishes, it will provide the valid code with a 200 OK status.
2FA can easily be cancelled by `/2fa/enable` endpoint
Steps To Reproduce:
1. Open your account page: https://www.0xm5awy.com/account
2. Attempt to cancel 2FA or change the provider; notice that it asks for the 2FA code.
3. Turn on your proxy (e.g., Burp Suite).
4. Click “Cancel” or change the provider, and intercept the request:
Request:
```
PUT /2fa/check-email HTTP/2
Host: api.0xm5awy.com
[Other Headers]
{“provider”:”google”}
```
5. Edit the request to use the `/2fa/enable` endpoint instead, and modify the body to `{“provider”:”google”}`. Add the `Content-Type: application/json` header.
6. Send the request.
7. After sending the edited request, go back to your account page: https://www.0xm5awy.com/account and you’ll notice that the 2FA has been canceled.
2FA can easily be bypass it by changed our email
Steps To Reproduce:
1. Open your account on: https://www.0xm5awy.com/account, where 2FA is enabled using email.
2. Change your account email to another email address.
3. Confirm the change by following the email confirmation process.
4. Due to the email change, the 2FA is now linked to the new email.
5. Request a cancellation code for 2FA associated with the new email.
6. Use the cancellation code to disable 2FA.
2FA can easily be changed/cancel by try again button when the user useing google 2fa method
Steps To Reproduce:
1. Open your account on: https://www.0xm5awy.com/account, where Google 2FA is enabled.
2. Click on the “Change” or “Cancel” button for the 2FA method.
3. Enter a wrong verification code.
4. A “TRY AGAIN” popup appears.
5. Click on the “TRY AGAIN” button.
6. Select a different method to receive the change/cancellation 2FA code (e.g., email).
7. The 2FA code is sent to the selected method (email in this case).
8. Use the received code to change the 2FA method (e.g., from Google 2FA to email 2FA).
Old `2FA` method still works even we changed to new `2FA` method
Steps to Reproduce:
1. Enable Google Authenticator method for 2FA on your account.
2. Change the 2FA method to another method (e.g., email).
3. Attempt to use the old Google Authenticator method for 2FA.
4. Intercept the request below and replace `”confirmationCode”` with the code generated by your Google Authenticator app:
```
PUT /2fa/confirm HTTP/2
Host: api.0xm5awy.com
Content-Length: 58
Content-Type: application/json
{
“provider”: “google”,
“confirmationCode”: “376516”
}
```
5. Submit the modified request.
6. The system will now allow you to change the method back to Google Authenticator, giving control over the account’s 2FA settings.
A Quick Disclaimer
I used to work directly with the Developer team, not the triage. So, just because some of these reports require you to have access to the victim’s account, it doesn’t mean that it’s applicable to all programs. Also, these vulnerabilities might not be accepted in other programs, as each program has its own rules before allowing actions like this. Make sure to check the specific program’s policies.