Account Takeover via 2FA Bypass

Hello Everyone , This is my first writeup

To People who don’t know me , I Sujay Hazra (TheLittleH4ck3r), This year complete my school journey, Learning penetration testing by day and bug hunter by night, Mainly love to find password reset functionality.

I hope you are all good. Hope you can learn something new. In this writeup is about how I bypass 2FA. I don’t have permission to disclosure target information so let’s call it example.com. So let’s start without wasting time.

It was a normal website. There is not so much functionality, You can create an account, log in, change password, etc. As always I create 2 accounts, as an attacker account and victim account. I noticed this website using password reset functionality is OTP based. Then I requested a password reset.

Then I type random OTP and capture the request on burp suite. And request send to intruder and try to brute force. Website firewall block my multiple request.

Then I used burp suite IP Rotate Extension(Extension for Burp Suite which uses AWS API Gateway to change your IP on every request). More information about IP Rotate Extension →https://github.com/portswigger/ip-rotate

And I successfully bypass 2FA

Then I immediately reported it. But this issue has already been reported by another user :(

I hope you have learned something new from it.

Well if you love this writeup drop a clap 👏(50X), let’s connect then:

Twitter: https://twitter.com/TheLittleH4ck3r

Instagram: https://www.instagram.com/TheLittleH4ck3r