Breaking 2FA Logic for Mass Account Takeover
As an Offensive Security Consultant at Netsentries Technologies, my work with NST Assure — Continuous Threat Exposure Management team often leads me to discover unique and complex security challenges beyond the scope of standard penetration tests. One notable example was a JWT Token Misconfiguration I uncovered on the login page of an enterprise client’s main application. This vulnerability allowed me to bypass the OTP mechanism, showcasing the critical importance of our tailored approach in identifying and mitigating sophisticated security threats to enhance our clients’ defenses.
To learn more about 2FA Bypasses Techniques, you can check out my one of the conference slides
Bypassing 2FA Misconfiguration
During the security assessment of one our client’s Web Application, there was login with OTP functionality. I started testing it and observed that for valid OTP, it was using JWT token as authentication check for login.
I intercepted the request and observed the response for the valid & invalid OTP and figured out the way to bypass it.
Request
Wrong OTP Response
Valid OTP Response
If you observe that for valid OTP, we are getting a JWT-based mechanism for handling session and authentication of a user. After analyzing the JWT token using jwt.io, I figured out that it’s not unique, its just a random token been sent for valid OTP.
Now I just modified the wrong OTP response with the other user’s jwt token. Since the JWT token was poorly configured, the token was not unique, and it was not expiring. And I was able to log into the application. Due to this JWT misconfiguration, I was able to perform a mass account takeover on the Application via Login for all users.
Thanks, everyone for reading
If you found this informative, do not forget to clap👏 and do let me know if you have any doubts
Support me if you like my work! Buy me a coffee
