Breaking 2FA Logic for Mass Account Takeover

Tushar Verma
2 min readMar 14, 2024

--

As an Offensive Security Consultant at Netsentries Technologies, my work with NST Assure — Continuous Threat Exposure Management team often leads me to discover unique and complex security challenges beyond the scope of standard penetration tests. One notable example was a JWT Token Misconfiguration I uncovered on the login page of an enterprise client’s main application. This vulnerability allowed me to bypass the OTP mechanism, showcasing the critical importance of our tailored approach in identifying and mitigating sophisticated security threats to enhance our clients’ defenses.

To learn more about 2FA Bypasses Techniques, you can check out my one of the conference slides

Bypassing 2FA Misconfiguration

During the security assessment of one our client’s Web Application, there was login with OTP functionality. I started testing it and observed that for valid OTP, it was using JWT token as authentication check for login.

I intercepted the request and observed the response for the valid & invalid OTP and figured out the way to bypass it.

Request

Wrong OTP Response

Valid OTP Response

If you observe that for valid OTP, we are getting a JWT-based mechanism for handling session and authentication of a user. After analyzing the JWT token using jwt.io, I figured out that it’s not unique, its just a random token been sent for valid OTP.

Now I just modified the wrong OTP response with the other user’s jwt token. Since the JWT token was poorly configured, the token was not unique, and it was not expiring. And I was able to log into the application. Due to this JWT misconfiguration, I was able to perform a mass account takeover on the Application via Login for all users.

Thanks, everyone for reading

If you found this informative, do not forget to clap👏 and do let me know if you have any doubts

Support me if you like my work! Buy me a coffee

Follow me on Twitter, LinkedIn, GitHub

Follow me on Twitter, LinkedIn, GitHub

--

--

Tushar Verma
Tushar Verma

Written by Tushar Verma

Security Engineer | Synack Red Team Member

No responses yet