Exposing Security Weakness: How I Disabled 2FA with a Rate Limit Flaw
Hello folks this is Syd and today I will show you how I found a bug in which I was able to disable two-factor authentication by brute-forcing the One-Time-Password (OTP) code.
My target platform is an e-commerce website where users can buy and sell CS Go skins and other variety of items from popular games including DOTA 2, Rust, and Team Fortress 2.
When I am testing a website, I love to test its authentication functionality such as bypassing using response manipulation, request manipulation, and rate limit. So during my testing, I came across this endpoint/api/user/remove-twofactor . This endpoint is used to disable 2FA and it required two parameters password and 2FA code (which is generated through the authenticator app).
I tried to enter an incorrect code and the response is
{“requestId”:”f9e8fc28-d4c5–40b5-b170-b219cc4d567e”,”success”:false,”message”:”2FA_INCORRECT_CODE”,”form”:”code”}
Now here comes the exciting part, I tried to send the request to burp suite intruder set the payload marker and payload type to numbers then start the attack. I noticed that I can send multiple requests which are all 200 OK without getting blocked.
If the request is 400 status then it means 2FA is disabled. Since the OTP code is 6 digits only, two-factor protection can be easily disabled by brute-forcing the 2FA code.
In summary, while testing a popular e-commerce website’s authentication functionality, I discovered a bug that allowed me to disable 2FA by brute-forcing the OTP code. This highlights the importance of thorough testing and the need for companies to prioritize their security measures to protect their users’ sensitive information.
I hope you have fun reading. Thanks and see you on my next writeup 😉
Follow me on 👉 Twitter