Bypassing 2FA in a Public Bug Bounty Program: A $6000 Journey

As a bug bounty hunter, uncovering vulnerabilities in public programs is both thrilling and rewarding. In this post, I’ll walk you through how I discovered and exploited a 2FA bypass vulnerability in a public bug bounty program (anonymized as redacted.com for confidentiality), earning a total of $6000. I’ll share technical details, including a sample HTTP request for context, and insights from the retesting phase.

The Initial Discovery: Bypassing OTP Verification

The journey began with a standard login process on redacted.com. After entering valid credentials, the web application prompted for a one-time password (OTP) as part of its two-factor authentication (2FA) mechanism. To analyze the process, I ran Burp Suite in the background to intercept HTTP requests.

Here’s what I did:

1. Intercepted the OTP Request: I entered a random OTP, captured the request in Burp Suite’s Proxy tab, and sent it to the Repeater module for further analysis.
2. Dropped the Request: Instead of forwarding the OTP request, I dropped it entirely.

3. Analyzed the Request: The OTP verification request included a JSON Web Token (JWT) in the Authorization header, which was generated before the OTP was validated. This was a critical flaw, as the JWT appeared to grant access to authenticated endpoints.

Below is a sanitized example of the intercepted HTTP request for context:

POST /api/verify-otp HTTP/1.1
Host: redacted.com
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiMTIzNDU2Nzg5MCIsImlhdCI6MTcyODAwMDAwMCwiZXhwIjoxNzI4MDAzNjAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Connection: close

{
  "otp": "123456"
}

The JWT token in the Authorization header was the key. By dropping the OTP verification request, I hypothesized that the token might still be valid for accessing other endpoints.

Exploring API Endpoints with GAP and Intruder

To test the extent of the vulnerability, I used Burp Suite’s Get All Parameters (GAP) extension to enumerate all API endpoints associated with redacted.com. Then, I leveraged Burp’s Intruder tool to systematically send requests to these endpoints, including the JWT token in the Authorization header.

Surprisingly, I gained access to all API endpoints without completing the OTP verification. This was a significant security flaw, as it effectively bypassed the 2FA mechanism entirely.

Reporting and Reward

I responsibly reported the vulnerability to the program, detailing the steps to reproduce and the potential impact (e.g., unauthorized access to sensitive user data or actions). The company acknowledged the issue, fixed the bug, and awarded me $4000 for the initial finding.

Retesting: A Persistent Payment Endpoint Flaw

After the fix, I retested the application (after 1 year) to ensure the vulnerability was resolved. The OTP verification process now appeared more robust, and most endpoints redirected unauthenticated requests to the OTP page. However, I decided to explore further using a different approach: browser forcing.

Instead of interacting with the OTP prompt in the browser, I manually navigated to the payment/order page (/payment/order) by directly entering the URL. To my surprise, this endpoint was still accessible without OTP verification. I could view and interact with the payment functionality, which was a critical oversight.

For context, here’s a sample HTTP request to the payment endpoint:

GET /payment/order/transection HTTP/1.1
Host: redacted.com
Cookie:
Connection: close

I tested other endpoints, but they correctly redirected to the OTP page. The payment/order/transection endpoint was the only one still vulnerable, indicating an incomplete fix.

Second Report and Additional Reward

I submitted a follow-up report, highlighting the persistent issue with the payment/order endpoint. The company promptly addressed the oversight and awarded me an additional $2000, bringing the total bounty to $6000.

Key Takeaways

This experience underscored several important lessons for bug bounty hunters and developers alike:

1. Test Beyond the Obvious: Dropping requests or bypassing UI prompts (e.g., browser forcing) can reveal hidden vulnerabilities.
2. Enumerate Endpoints Thoroughly: Tools like GAP and Intruder are invaluable for discovering unprotected endpoints.
3. Retest After Fixes: Incomplete patches can leave critical endpoints exposed, as seen with the payment/order page.
4. Responsible Disclosure: Clear, detailed reports help companies fix issues effectively and reward hunters fairly.

For developers, this case highlights the importance of validating authentication and authorization at every endpoint, especially for sensitive functionality like payments. Generating JWTs before completing 2FA checks is a recipe for disaster.

Conclusion

Finding and exploiting this 2FA bypass was a rewarding journey, both financially and intellectually. It reinforced the value of persistence, creative testing, and thorough retesting in bug bounty hunting. I hope this write-up inspires other hunters to dig deeper and helps developers strengthen their applications.

Happy hunting, and stay secure!

Follow: https://x.com/tabaahi_