I found a way to bypass two factor authentication on login.gov which contains critical informations in it. This vulnerability occurs because of the misconfigurated token.
The account creating process of login.gov is very interesting. You need to confirm your email first, instead of last. I realised that this might cause some security problems. And it has of course…
This is the vulnerable URL( I found this URL thanks to burp)
https://idp.staging.login.gov/sign_up/enter_password?confirmation_token=XXX&request_id=
All you need to insert your confirmation token you get from your email. It says “This link will expire in 24 hours.” but it is not and I can be used multiple times. 🙂
Because of the structure of this site, when you use vulnerable link, you’ll directly in your account. Because server thinks that you didnt add phone information and set password. So how could it ask for a password or 2FA?
You can directly log in and bypass two factor authentication and if there is any account lock down.
Bypass two factor authentication and account lock down PoC :
You can see the original report on hackerone in here.
- Aug 28th 2017 – I reported it on hackerone.
- Aug 30th 2017 – Hackerone said “this is not a vulnerability” ( Yeah, I said what the fuck too.)
- Sep 5th 2017 – After I emailed login.gov security team, hackerone reopened my issue.
- Nov 3rd 2017 – Issue has been fixed.
- Nov 3th 2017 – Waiting for disclose.
- Nov 18th 2017 – Report publicly disclosed.
Special thanks to Yunus YILMAZ