Breaking the Barrier: How Attackers can Bypass 2FA in Back-office Login and Ways to Fix It
During a recent security assessment of the back-office system, our team identified a critical vulnerability in the implementation of two-factor authentication (2FA) authentication. Specifically, we discovered that the 2FA generation API allowed the generation of a new 2FA secret for any back-office account without verifying if the account already had 2FA set up. This flaw allowed an attacker to bypass 2FA protection and gain access to the account using only valid credentials. The Root Cause: Flawed Implementation of 2FA Generate API Upon further investigation, we identified that the root cause of this vulnerability was in the implementation of the 2FA generate API, which did not verify if an account already had 2FA set up or not. Additionally, the JWT (JSON Web Token) access token provided after the first login step was enough to call the 2FA generate API, as it had a claim that indicated whether the account had passed 2FA or not, but lacked a claim indicating if 2FA was already set up