BYPASS TWO FACTOR AUTHENTICATION VULNERABILITY ON LOGIN.GOV

BYPASS TWO FACTOR AUTHENTICATION VULNERABILITY ON LOGIN.GOV

- 1 min

I found a way to bypass two factor authentication on login.gov which contains critical informations in it. This vulnerability occurs because of the misconfigurated token.

The account creating process of login.gov is very interesting. You need to confirm your email first, instead of last. I realised that this might cause some security problems. And it has of course…

This is the vulnerable URL( I found this URL thanks to burp)

https://idp.staging.login.gov/sign_up/enter_password?confirmation_token=XXX&request_id=

All you need to insert your confirmation token you get from your email. It says “This link will expire in 24 hours.” but it is not and I can be used multiple times. :)

Bypass two factor authentication on login.gov

Because of the structure of this site, when you use vulnerable link, you’ll directly in your account. Because server thinks that you didnt add phone information and set password. So how could it ask for a password or 2FA?

You can directly log in and bypass two factor authentication and if there is any account lock down.

Bypass two factor authentication and account lock down PoC : 

You can see the original report on hackerone in here.

Special thanks to Yunus YILMAZ

rss facebook twitter github mail instagram linkedin
rss facebook twitter github mail instagram linkedin