2 FA Bypass via CSRF Attack

Vishal Bharad
2 min readDec 23, 2019

--

Introduction :

Hello Guys Again, I am Vishal Bharad, I’m here again to share about my findings on How I Bypass 2 Factor Authentication via CSRF (Cross Site Request Forgery).

About the Vulnerability :

You all know about the 2FA Bypass Vulnerability. There are some Techniques.

  1. Bypassing 2fa using conventional session management
  2. Bypassing 2fa Via OAuth mechanism
  3. Bypassing 2fa via brute force
  4. Bypassing 2fa using race conditions (RARE)
  5. Bypassing 2fa using modifies response
  6. Bypassing 2fa using Activation link
  7. Bypassing 2fa in password reset page

But here I am able to disable the 2FA via Client side attack which is CSRF.

For Discovering the bug I have tried to Disable 2FA using CSRF file. But I have seen that there is token is generated in the CSRF poc. But when I tried this html file that token is never get expired. This token is used again and again to disable 2FA on another Account.

Note : Always try to Disable 2FA using CSRF Attack.

So the program is Mail.ru which is Available on Hackerone.

Pandao.ru is the extended program name that I have found vulnerability on this domain.

Tools Used for this Vulnerability:

  1. BurpSuite

Steps to Reproduce the Vulnerability

  1. Go to https://pandao.ru/profile/settings and sign up for two accounts. In which first is attackers account and second is Victim’s
  2. Log in to Attackers account and capture the Disable 2FA request in Burp suite and generate CSRF poc.
  3. Save the CSRF poc file with extension .HTML.
  4. Now log in into Victim’s account in Private Browser and fire that CSRF file. Now you can see that It disable 2FA which leads to 2FA Bypass.

Video is Attached to Demonstrate this Vulnerability.

Thank You

Disclosure :

  1. I reported to them 9th August
  2. They saw the report, steps to reproduce, and PoC(Video).
  3. And, this program is in Extended scope of mail.ru and They do not pay for Client side attacks so I didn't get any Bounty for this. But Still Worth. :)

Thanks

Looking forward to share more blogs

Best Regards

Vishal Bharad

Linkedin Profile : https://www.linkedin.com/in/vishal-bharad-b476b388/

--

--

Vishal Bharad
Vishal Bharad

Written by Vishal Bharad

Penetration Tester, Bug Bounty Hunter, Security Researcher

No responses yet