Mustafa Kemal CAN ~ muskecan

Personal Blog ~ Kişisel Blog
  • Home Page
  • About
Home / Articles / BYPASS TWO FACTOR AUTHENTICATION VULNERABILITY ON LOGIN.GOV

BYPASS TWO FACTOR AUTHENTICATION VULNERABILITY ON LOGIN.GOV

BYPASS TWO FACTOR AUTHENTICATION VULNERABILITY ON LOGIN.GOV 14 November 2017 Mustafa Kemal Can
Articles
0 Comment
bug bountybypassbypass 2fabypass two factor authbypass two factor authenticationhackhackeronelogin.govmuskecanmustafa kemal canvulnerability
bypass-two-factor-authentication on login.gov

I found a way to bypass two factor authentication on login.gov which contains critical informations in it. This vulnerability occurs because of the misconfigurated token.

The account creating process of login.gov is very interesting. You need to confirm your email first, instead of last. I realised that this might cause some security problems. And it has of course…

This is the vulnerable URL( I found this URL thanks to burp)

https://idp.staging.login.gov/sign_up/enter_password?confirmation_token=XXX&request_id=
All you need to insert your confirmation token you get from your email. It says “This link will expire in 24 hours.” but it is not and I can be used multiple times. 🙂
Bypass two factor authentication on login.gov
Because of the structure of this site, when you use vulnerable link, you’ll directly in your account. Because server thinks that you didnt add phone information and set password. So how could it ask for a password or 2FA?
You can directly log in and bypass two factor authentication and if there is any account lock down.

Bypass two factor authentication and account lock down PoC : 

You can see the original report on hackerone in here.

  • Aug 28th 2017 – I reported it on hackerone.
  • Aug 30th 2017 – Hackerone said “this is not a vulnerability” ( Yeah, I said what the fuck too.)
  • Sep 5th 2017 – After I emailed login.gov security team, hackerone reopened my issue.
  • Nov 3rd 2017 – Issue has been fixed.
  • Nov 3th 2017 – Waiting for disclose.
  • Nov 18th 2017 – Report publicly disclosed.

Special thanks to Yunus YILMAZ


Next Post
Previous Post


Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Next Post
Previous Post

  • Recent Posts

    • Protected: REDACTED 20 November 2021
    • [REDACTED] App – Insufficiently “Encrypted” Config Leads to Free InAppPurchase 23 March 2020
    • Make IDOR great again! 5 December 2019

Copyright © 2022, Mustafa Kemal CAN ~ muskecan. Proudly powered by WordPress. Blackoot design by Iceable Themes.

  • Home Page
  • About