Strange 2FA Misconfiguration

Hey guys I am back again with another interesting bug bounty writeup. In this write-up, I am going to tell you about my recent finding on a VDP. Due to the company’s policy, I can’t reveal the name of the program.
It was a strange 2FA misconfiguration, so without any delay let’s move on to our main story.

Story of the Bug:

I was looking for a newly released VDP (Vulnerability Disclosure Program) through Google Dorking with help of my dork list.

NOTE: You guys can get access to that list through my GitHub, link attached below.

https://github.com/BH4R4T-SINGH/Bug_Bounty-Google_Dorks/blob/main/Bug%20Bounty%20Google%20Dorks.txt

I found a good target with many functionalities including 2FA which was perfect to hunt on. After analysing the working of the whole web app manually I started to hunt for bugs. Usually, I begin with password reset and email verification type bugs, but this time I decided to go for 2FA(Two-factor authentication).

To setup 2FA there were two options:

>Either you can setup using another app. (Google Authenticator, Authy, or Microsoft Authenticator)

>Or you can set up using your Phone number via SMS.

I went for the SMS option, and after that, I entered my Phone Number and received an OTP to set up the 2FA. After entering the OTP I clicked on verify button and intercepted that request.

The request has 3 parameters in the body: Phone Number, Country Code, and Verification type. I tried to change the phone number to another phone number to see how the application will respond.

It was showing me a 200 OK response also in the 2FA option it was showing my Second phone number (changed phone number).

On the front end, my phone number was changed without any verification but not sure whether it was updated on the backend or not. So I logged out from my account and try to log in again, and to my surprise, I received the 2FA code on my Second Phone number. Also, there was no rate limit on 2FA code request so an attacker can do sms bombing to the victim’s phone number.

ENDING

That’s it for this writeup guys, hope u have enjoyed the writeup. Feel free to connect with me, my DM’s are always open for any recommendation or help. See ya all with a new writeup.

>>>>>>>>>>>>>>>>>>>>>>>>>>>TWITTER<<<<<<<<<<<<<<<<<<<<<<<<<<<

>>>>>>>>>>>>>>>>>>>>>>>>>>>LINKEDIN<<<<<<<<<<<<<<<<<<<<<<<<<<