My First Bug Bounty — 2 Factor Authentication Bypass
Hello guys, I hope everyone is doing great!
A little introduction about me, My name is Talat Mehmood and I’m an active bounty hunter, Freelancer and Penetration tester since 2017.
A lot of people asked me to writeup about my first ever bug bounty. Today, I finally got the time to write about it. This vulnerability is actually pretty interesting, so here it goes.
“Summary: I was able to Bypass Phone Number Verification by Tampering Parameters during Sign Up!”
Alright, so I was testing the “Sign up” module of the web application (let’s just call it vulnme.com). I found an interesting parameter in Request along with other parameters that was “twoFactorNotificationType”.
By default, the value was set as “0". In the normal flow of application, On login an OTP (One time password) was sent to the provided phone number for verification. Once you’ve entered the correct OTP in the application, you’ll be authenticated.
I started tweaking this parameter. I found that when I set this parameter (twoFactorNotificationType) as “1” during sign up, the OTP that was supposed to be sent to the phone number was sent to the email instead xD
This could allow a malicious user to bypass his phone number verification. Further, this vulnerability could be elevated to bypass 2 Factor Authentication if the attacker had access of victim’s email.
So, just changing the value of a parameter earned me my first bounty of €100!!
CONCLUSION:
- Always tweak with all the parameters in the Requests.
- Think Out of the Box.
- Determination is the key! Never give up too early.
