I found a way to bypass two factor authentication on login.gov which contains critical informations in it. This vulnerability occurs because of the misconfigurated token.
The account creating process of login.gov is very interesting. You need to confirm your email first, instead of last. I realised that this might cause some security problems. And it has of course…
This is the vulnerable URL( I found this URL thanks to burp)
Bypass two factor authentication and account lock down PoC :
- Aug 28th 2017 – I reported it on hackerone.
- Aug 30th 2017 – Hackerone said “this is not a vulnerability” ( Yeah, I said what the fuck too.)
- Sep 5th 2017 – After I emailed login.gov security team, hackerone reopened my issue.
- Nov 3rd 2017 – Issue has been fixed.
- Nov 3th 2017 – Waiting for disclose.
- Nov 18th 2017 – Report publicly disclosed.
Special thanks to Yunus YILMAZ