OTP implementation bypass – A short tale

2FA. Defenders of the modern day web applications.

Every security guy out here.

When certain vulnerabilities are exploited and your primary authentication fails, the bad guys now have access to your profile. We may not be in control of data dumps from different corners of the sites we registered. But What if we could still block the bad guys even after they have our credentials?

This is where 2FA comes in. Security researchers have analyzed web applications and realized a layer of protection is needed. Developers also agree. Once the primary authentication is passed, an email is sent to you, an SMS or authenticator code is generated for you to prove you are who you say you are.

Normal Application Logic?

In a bug bounty engagement, I noticed this “application” was terribly secure. Clean! I was unable to find any substantial vulnerability.

Being a logic hunter, I followed the application process and registered for an account with a fake email service (emailondeck.com). (BTW) This has proven to be helpful in scenarios where corporate emails are accepted and Gmail/outlook/yahoo are restricted. But anyway…

A confirmation email was sent and the account was verified.

On initial login, I enter my credentials and I’m presented with an OTP form (after redirection to /authenticate endpoint).

I enter the OTP sent to my phone and redirected to my /home endpoint. Pretty normal, right?

Where the vulnerability lies

Now that I have used the application correctly, I try the login process with the aim of bypassing the security check (OTP).

I enter the creds and I’m presented with an OTP prompt again.

I tried refreshing the page but still nothing but the prompt.

I press the back button which should take me back to /login but I’m instead redirected to /home, the default landing page after successful authentication. I am presented with the good old “$username” and I submit this simple report to the program.

Take Home

Test the simplest of functionalities that are meant to protect the user. It just might be in the weirdest of places.

The Fix?

Through a later discovered source code disclosure, it was observed that the developer set an ‘otpverify‘ value to false. The fix was implemented by simply changing that to true.

search previous next tag category expand menu location phone mail time cart zoom edit close