2FA Secret value disclosure leads to 2FA Bypass - Bug Bounty Writeup

Hello folks, today I am going to share one of my 2FA bypass bugs which I found on a private program.


Summary:-

I was testing the 2FA feature of this application with two accounts in an organization. I was checking all request responses in burpsuite to find an IDOR but I saw 2FA secret codes of other users on the team page. This secret value is disclosed to all Admin type users and lower privilege users cannot see this page. When a user enables the 2FA feature, he needs to scan that QR code in Authenticator app and if we decode that QR code we see this format:-

otpauth://totp/<your-email>?secret=<totp_secret_key>&issuer=Target 

Here `totp_secret_key` value is unique for all users and cannot be bruteforced. I took this secret key from team page of other admin user and replaced value in above format. I generated a QR code from a website and scanned this in the Authenticator app. Then I tried login in with another user's credentials and entering OTP on 2FA page and it worked. Both victim's and my OTPs are working. So this is how I bypassed 2FA of same privilege users on this application.


POC:-

  1. Login to your account.

  2. Go to https://app.target.com/dashboard/team/ and open burpsuit.

  3. You will see a GET request with a /api/dashboard/team/ URL in it.

  4. Send it to repeater and click on the send button.

  5. You can see the totp_secret_key value of other users in the response.

  6. Copy the value and email address of that user. Paste both the value in this otpauth://totp/your%40email.com?secret=[your-totp-secret-key]&issuer=Target

  7. Go to https://www.the-qrcode-generator.com/ and paste the crafted text in it.

  8. Your QR code will be generated. Scan it in authenticator app (DUO mobile) and it will accept that QR code.

  9. Now logout from the website and enter the correct credentials of the victim user.

  10. Enter the code from the authenticator app and it will log in to you successfully.


1,272 views0 comments