2FA bypass by reading the documentation

This is a fairly simple and short writeup, but i think is worth sharing, so lets get started.

This program is private so i will be redacting most of the information from it.

Like any other website, my program has a 2fa implemented, and their implementation is pretty good too. So i started reading the documentation. Most of the api functions requires api key for authorization

And this api key can be only obtained in the web client after logging in which require a 2fa verification. However, while reading other api functions, i found one odd api method.

Unlike the other api methods, it doesnt use the api key for authorization. Instead, it uses a basic authentication stated by the -u and only requires the email and the password . After trying it out myself, the request succeeds without the 2fa verification.

This is fixed now and is accepted as low since it requires knowing the credentials of the target and only one api method is vulnerable but still interesting for me nonetheless.

Thanks for reading, Join the Bounty Hunter Discord Server: https://discord.gg/bugbounty

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What is Jailbreak? and your other jailbreak questions are answered

uPlexa: SteadFast Storm Information

Biden calls for an international crackdown on ransomware

Biden calls for an international crackdown on ransomware

Angler Exploitation Kit Infection 2 — Malware Traffic Analysis

iCommunity (ICOM) IEO Referral Buy Event — Up to ~20% ICOM Bonuses up for grabs!

Back to Basics: Hardening Computers & Smartphones

DIVΞR’s DIGEST #1

What is cryptography ?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Brandon Roldan

Brandon Roldan

More from Medium

Hacking into Admin Panel of U.S Federal government system : C.A.R.S -without credentials.

How I could have read your confidential bug reports by simple mail?

Exposing Millions of Investor and Startup Register details and PII INFO in STARTUPINDIA (Govt of…

Hunting for Bugs in File Upload Feature: