Bypassing 2FA for Password Reset : By Request Manipulation 500$ Bug

Explore a real-world account security threat — a 2FA bypass vulnerability. Learn how this flaw allows unauthorized access.

Recently, I found a security flaw in Exam.me(virtual name of private program) that allowed an attacker to bypass Two-Factor Authentication (2FA) during the password reset process. This write-up takes into the specifics of the issue,steps to reproduce and its potential impact.

Understanding the Vulnerability

The security of an online account often relies on multiple layers of protection. One of these layers is 2FA, a process that demands two forms of verification before granting access to an account. This additional step is essential in preventing unauthorized access to an account, even if the password or email falls into the wrong hands.

However, the vulnerability in question highlighted a scenario where a potential attacker, having gained control of a user’s email account, could make critical password reset to the victim’s exam.me account without needing the 2FA verification code. This scenario is where the security concern lay.

The Flaw

The process of password reset and 2FA confirmation on exam.me follows a set pattern. After entering the verification code, the system redirects to a 2FA confirmation page. However, the vulnerability allowed the attacker to manipulate the request by intercepting it and removing the “/code” endpoint from the API request. By adding a password and password_confirmation in the JSON parameters, an attacker could create a new password for the account without needing the 2FA verification code. In essence, they could reset the password without genuine authorization.

Steps to Reproduce

To reproduce this vulnerability, the following steps were taken:

1. Access Password Reset Page: Go to https://exam.me/en/passwords/new.
2. Enter OTP and Confirm: Enter the OTP received via email and click on the “Confirm” button. This will lead to the 2FA verification page.
3. Intercept the Request: Intercept the API request sent when confirming the code verification, specifically https://exam.me/en/passwords/------------------------/code.