MFA Bypassing TechniqueWithout the Need Phone code, Got 2500$ Bounty
Summary: It is possible to bypass MFA without the need to have the phone code.
Description: When we turn on the MFA and we have the user and password of the user, it is possible to bypass the MFA by only changing some values in the endpoint
POST auth.xyz.com//v3/api/login
Steps To Reproduce:
Note: Use burp suite or another tool to intercept the requests
- Turn on and configure your MFA
- Log in with your email and password
- The page MFA is going to appear.
- Enter any random number
- when you press the button “sign in securely” intercept the Post request.
POST auth.xyz.com/v3/api/login and in the POST message change the fields:
"mode":"sms"by"mode":"email""secureLogin":trueby"secureLogin":false
6. After modification (If you are using Burpsuite then Right click and then go to {do intercept → Response to this request}) click on the forward button it will send the modification request. Now check the response, Boom you are in your account! It was not necessary to enter the phone code.
Main Impact
The attacker can bypass the experimental MFA, If the attacker has the email and password, the attacker can log in to the account without the need for the phone code.
Thank you for reading.
I always try to provide useful material through the point. If you like whatever I write. Do press the Clap Icon to encourage me and subscribe me on Youtube for upcoming Live attacking POC and bug bounty tips.