This blog is all about Cyber Security and IT

Wednesday, March 3, 2021

E-mail MFA mode allows bypassing MFA from victim’s device when the device trust is not expired

While reading challenges to bypass 2FA , I came to see how l1nkworld submitted a report to Grammarly.

Aug 2nd (2 years ago)

It is possible bypass MFA without the need to have the phone code.

When we turn on the MFA and we have the user and password of the user, it is possible bypass the MFA only changing some values the endpoint POST

Steps To Reproduce:


  • Use burp suite or another tool to intercept the requests
  1. Turn on and configure your MFA
  2. Login with your email and password
  3. The page of MFA is going to appear
  4. Enter any random number
  5. when you press the button "sign in securely" intercept the request POST and in the POST message change the fields:
    • "mode":"sms" by "mode":"email"
    • "secureLogin":true by "secureLogin":false
    • send the modification and check, you are in your account! It was not necessary to enter the phone code.


The attacker can bypass the experimental MFA, If the attacker has the email and password, the attacker can login in the account without the need of the phone code.


Post a Comment