Tricky 2FA Bypass Leads to 4 digit Bounty $$$$

Rohaangupta
2 min readSep 20, 2023

--

Hii Everyone i am Rohan Gupta part time bug hunter and Full time as a Jr. Security analyst.

Now Lets know about 2FA !

2FA stands for “Two-Factor Authentication.” It is a security process that requires users to provide two different authentication factors before gaining access to a system, account, or application. The goal of 2FA is to enhance security by adding an additional layer of verification beyond just a username and password.

Why do we need 2FA ?

  1. Enhanced Security: The primary purpose of 2FA is to provide an extra layer of security beyond just a username and password. Passwords can be easily compromised through various means like data breaches, phishing attacks, or social engineering. 2FA makes it significantly more challenging for unauthorized individuals to access your accounts because they would need both something you know (your password) and something you have or are (the second factor).
  2. Protection Against Password Theft: Even if someone manages to steal your password, they won’t be able to access your account without the second factor. This adds a crucial barrier to prevent unauthorized access.
  3. Mitigating Phishing Attacks: Phishing attacks involve tricking users into revealing their login credentials on fake websites that mimic legitimate ones. With 2FA, even if a user enters their password on a phishing site, the attacker won’t have the second factor, making it much harder to compromise the account.
  4. Reducing the Impact of Data Breaches: Data breaches are common, and they can expose usernames and passwords. If you’re using 2FA, even if your credentials are exposed in a breach, the attacker still can’t access your account without the second factor.
  5. Knowing that your accounts are protected by 2FA can give you peace of mind, reducing the risk of unauthorized access and potential harm to your digital identity.

While 2FA adds an extra step to the login process, the security benefits it provides far outweigh the inconvenience. It’s an effective and widely adopted security measure that helps safeguard your online presence in an increasingly digital and interconnected world.

Let’s directly Jump into Vulnerability without wasting time.

Lets know how i was able to Bypass the 2FA successfully on a bugcrowd private program.

Steps to Reproduce :

  1. Create an account on http://domain.com
  2. Enable the 2FA via authenticator app
  3. Now logout the account
  4. Goto forgot password page
  5. Reset password
  6. Change the password and click on Save changes
  7. It was observed that without 2FA attacker was able to login

This was the steps i was able to bypass the 2FA and rewarded $$$$.

Thank you for reading.Hope you liked it.

You can follow me on twitter for more tips : https://x.com/roohaa_n

--

--