E-mail MFA mode allows bypassing MFA from victim’s device when the device trust is not expired
While reading challenges to bypass 2FA , I came to see how l1nkworld submitted a report to Grammarly.
Summary:
It is possible bypass MFA without the need to have the phone code.
Description:
When we turn on the MFA and we have the user and password of the user, it is possible bypass the MFA only changing some values the endpoint POST auth.grammarly.com//v3/api/login
Steps To Reproduce:
Note:
- Use burp suite or another tool to intercept the requests
- Turn on and configure your MFA
- Login with your email and password
- The page of MFA is going to appear
- Enter any random number
- when you press the button "sign in securely" intercept the request POST
auth.grammarly.com/v3/api/login
and in the POST message change the fields:"mode":"sms"
by"mode":"email"
"secureLogin":true
by"secureLogin":false
- send the modification and check, you are in your account! It was not necessary to enter the phone code.
Impact
The attacker can bypass the experimental MFA, If the attacker has the email and password, the attacker can login in the account without the need of the phone code.
0 comments:
Post a Comment