2 FA Bypass via CSRF Attack
Hello Guys Again, I am Vishal Bharad, I’m here again to share about my findings on How I Bypass 2 Factor Authentication via CSRF (Cross Site Request Forgery).
About the Vulnerability :
You all know about the 2FA Bypass Vulnerability. There are some Techniques.
- Bypassing 2fa using conventional session management
- Bypassing 2fa Via OAuth mechanism
- Bypassing 2fa via brute force
- Bypassing 2fa using race conditions (RARE)
- Bypassing 2fa using modifies response
- Bypassing 2fa using Activation link
- Bypassing 2fa in password reset page
But here I am able to disable the 2FA via Client side attack which is CSRF.
For Discovering the bug I have tried to Disable 2FA using CSRF file. But I have seen that there is token is generated in the CSRF poc. But when I tried this html file that token is never get expired. This token is used again and again to disable 2FA on another Account.
Note : Always try to Disable 2FA using CSRF Attack.
So the program is Mail.ru which is Available on Hackerone.
Mail.ru - Bug Bounty Program | HackerOne
The Mail.ru Bug Bounty Program enlists the help of the hacker community at HackerOne to make Mail.ru more secure…
Pandao.ru is the extended program name that I have found vulnerability on this domain.
Tools Used for this Vulnerability:
Steps to Reproduce the Vulnerability
- Go to https://pandao.ru/profile/settings and sign up for two accounts. In which first is attackers account and second is Victim’s
- Log in to Attackers account and capture the Disable 2FA request in Burp suite and generate CSRF poc.
- Save the CSRF poc file with extension .HTML.
- Now log in into Victim’s account in Private Browser and fire that CSRF file. Now you can see that It disable 2FA which leads to 2FA Bypass.
Video is Attached to Demonstrate this Vulnerability.
- I reported to them 9th August
- They saw the report, steps to reproduce, and PoC(Video).
- And, this program is in Extended scope of mail.ru and They do not pay for Client side attacks so I didn't get any Bounty for this. But Still Worth. :)
Looking forward to share more blogs
Linkedin Profile : https://www.linkedin.com/in/vishal-bharad-b476b388/