|
Task Description
Summary:
After enabling 2FA, during login the system asks for email, password, and then a valid 2FA code. When a valid 2FA code request is captured and sent through Burp Repeater, sending multiple parallel copies of the same request returns multiple valid 2FA responses for a single correct code. These valid responses can then be replayed at any time to bypass the 2FA challenge completely. As a result, an attacker can repeatedly access the account without entering any new 2FA code, fully bypassing the authentication layer.
Steps to Reproduce:
Enable 2FA on your account.
Log out and attempt to log in again.
Enter a valid email and password.
When the system asks for the 2FA code, enter a valid code and capture this request in Burp Suite.
Send the 2FA request to Burp Repeater and create multiple parallel copies.
Send all parallel requests simultaneously — observe that the server returns multiple valid 2FA success responses for one single valid code.
Now try logging in again: enter any invalid 2FA code.
Capture the invalid response and replace it with one of the previously captured valid parallel responses.
Forward the modified response — you will gain full account access without needing a new 2FA code.
This method works repeatedly.
Impact :
This vulnerability breaks the entire 2FA security model. By replaying the multiple valid responses generated from a single 2FA code, an attacker can repeatedly log in without providing any fresh 2FA code. This completely bypasses multi-factor authentication, rate limiting, and OTP expiration logic, allowing persistent unauthorized access to any protected account.
Note: Please don't disclose this report
|
