Behind the Scenes of a Security Bug: The Perils of 2FA Cookie Generation

Hello everyone! I am S Rahul, a passionate Cyber Security Analyst and Bug Bounty Hunter. With 2+ years of experience in the field, I specialize in privacy and data protection, security testing, and vulnerability scanning. My expertise extends to various GRC benchmarks like ISMS, BCMS, PIMS, GDPR, PCI, DSS, etc. Additionally, I hold certifications in CEH, RHCSA, and ISO. Excited to share my knowledge with you all! 🔒🌐🚀

Today, I’m going to talk about my most recent discovery, which is called “Behind the Scenes of a Security Bug: The Perils of 2FA Cookie Generation” or “2FA Bypass.”

A faulty implementation of 2FA during the login process is the basis of the security problem I found. When 2FA is enabled for an account, the system seems to request the 2FA One-Time Password (OTP) upon login, giving the impression that the authentication process is secure. Surprisingly, though, it simply generates a login cookie without checking the user’s 2FA OTP.

Suppose i have successfully enabled the 2FA on target.com and now when i enter my credentails and click on the login and capture th request in burpsuite it shows the cookie as : Cookie: COOKIE_CONSENT=TRUE; PHPSESSID=j03dshgdjsjh76jhjsd6q

Now its asking me for 2FA otp and now what i have done i referesh the page and capture the request in burpsuite and now its shows the cookie as
Cookie: COOKIE_CONSENT=TRUE; PHPSESSID=asqhlckhhkd87jdjgbah76ndhas; REMEMBER_ME=sJrrhooLjYc%khskdh35kahkiutXN7IT0Yv03

Now i got confirmation that its generates the login account cookie before completeing the 2FA Process due to that i have already one update profile request in my burpsuite and now i have replaced the cookie and send the request and it gives status:{ true }

I was able to update,delete,edit account without 2FA process

2FA Bypass via Verification Links: Let’s proceed with another 2FA bypass, this time on a different target — let’s assume it’s example.com.

The web application flow starts with the signup process, during which it sends a verification link to the user’s email. This link is used to verify the email address.

After signing up, I logged into the account and successfully enabled 2FA from the profile settings.

Next, I opened a new browser and entered the credentials to log in to the account. However, instead of being taken to the dashboard immediately, I was redirected to the 2FA OTP page, prompting me to enter the 2FA code.

At this point, I remembered the verification link sent during signup. Curious to see what would happen, I copied the verification link and opened it in the same browser. Surprisingly, the system redirected me straight to the dashboard, bypassing the 2FA OTP requirement.

This discovery allowed me to bypass the 2FA process through the use of the verification link.This behavior indicates a serious flaw in the application’s logic, as it defeats the purpose of 2FA, which is to add an additional layer of security to the login process.

Rewarded with $$$ for each bug🤑💸

Thanks for reading guys.

Don’t forget to follow and connect with me through Instagram, LinkedIn, Twitter .