2FA Bypass Vulnerability — Part 1
2FA ( Two Factor Authentication) is an authentication protocol where access is only granted after providing two pieces of evidence to an authentication mechanism typically a Password and an OTP (One Time Token). To access an account protected with 2FA you need both the password and a secret token, this serves as an extra layer of security. To successfully bypass 2FA means you can gain access to a 2FA protected account without the 2FA code, just the email and password.
This article series is going to be explaining some common vulnerabilities in 2FA implementation. I am going to be using examples I have found in real life applications to explain the vulnerability.
Bypass Method — Authentication is Set before the OTP is Entered
This is the most common method I have found. It occurs when the developers set the Authentication token before the user has entered the 2FA code. For accounts protected with 2FA, the authentication token should only be set after the user has correctly entered the password and the 2FA code.
Example Found in the Wild
For the purpose of this article I am going to refer to the website where I found this vulnerability as REDACTED. In this application after entering your password and email you are required to enter the 2FA code send to your mobile device to successfully log in. I was able able to bypass the 2FA protection following the steps below.
Step 1: Enter Email and Password on app.redacted.com
Step 2: You are faced with a page asking you to enter the OTP sent to your mobile device
While checking the requests sent by app.redacted.com, I realized that it had already assigned me a valid Authentication Token even though I had not entered the OTP code. So although on the web page I was asked to enter the 2FA code before gaining access to the account, the API had already given me unrestricted access to the account
The API had already given me an Authentication token so I could perform all actions available to logged in users even though I had not fully verified my identity as the owner of the account.
It is very common for developers to block a feature on the Web App but leave it accessible on the API. I have found the above 2FA bypass method on at atleast 3 different FinTech applications.
That’s all for the first part of this series. if you have any questions or need any clarifications you can reach me on twitter @adeyefa_codes
