Exposing Security Weakness: How I Disabled 2FA with a Rate Limit Flaw

Hello folks this is Syd and today I will show you how I found a bug in which I was able to disable two-factor authentication by brute-forcing the One-Time-Password (OTP) code.

My target platform is an e-commerce website where users can buy and sell CS Go skins and other variety of items from popular games including DOTA 2, Rust, and Team Fortress 2.

When I am testing a website, I love to test its authentication functionality such as bypassing using response manipulation, request manipulation, and rate limit. So during my testing, I came across this endpoint/api/user/remove-twofactor . This endpoint is used to disable 2FA and it required two parameters password and 2FA code (which is generated through the authenticator app).

I tried to enter an incorrect code and the response is

{“requestId”:”f9e8fc28-d4c5–40b5-b170-b219cc4d567e”,”success”:false,”message”:”2FA_INCORRECT_CODE”,”form”:”code”}

Now here comes the exciting part, I tried to send the request to burp suite intruder set the payload marker and payload type to numbers then start the attack. I noticed that I can send multiple requests which are all 200 OK without getting blocked.

If the request is 400 status then it means 2FA is disabled. Since the OTP code is 6 digits only, two-factor protection can be easily disabled by brute-forcing the 2FA code.

In summary, while testing a popular e-commerce website’s authentication functionality, I discovered a bug that allowed me to disable 2FA by brute-forcing the OTP code. This highlights the importance of thorough testing and the need for companies to prioritize their security measures to protect their users’ sensitive information.

I hope you have fun reading. Thanks and see you on my next writeup 😉

Follow me on 👉 Twitter