Breaking the Barrier: How Attackers can Bypass 2FA in Back-office Login and Ways to Fix It
During a recent security assessment of the back-office system, our team identified a critical vulnerability in the implementation of two-factor authentication (2FA) authentication. Specifically, we discovered that the 2FA generation API allowed the generation of a new 2FA secret for any back-office account without verifying if the account already had 2FA set up. This flaw allowed an attacker to bypass 2FA protection and gain access to the account using only valid credentials.
The Root Cause: Flawed Implementation of 2FA Generate API
Upon further investigation, we identified that the root cause of this vulnerability was in the implementation of the 2FA generate API, which did not verify if an account already had 2FA set up or not. Additionally, the JWT (JSON Web Token) access token provided after the first login step was enough to call the 2FA generate API, as it had a claim that indicated whether the account had passed 2FA or not, but lacked a claim indicating if 2FA was already set up for the account.
Exploiting the Vulnerability: Manipulating the Server Response to Reset 2FA Secret
The UI behavior of the back-office system relied on the server response to the first login step. If the username-password and CAPTCHA were valid, the server responded with a JWT access and refresh tokens, profile and permissions data, and an indication of 2FA registration (parameter set to either true or false). The web client then rendered the 2FA screen according to the parameter value.
If false, it rendered the initial 2FA registration, which initiated a call to the 2FA generate API. If true, it rendered the 2FA login, which called the 2FA authenticate API. An attacker could exploit this vulnerability by manipulating the server response, changing the parameter from true to false to reset the 2FA secret without having to call the APIs directly.
Fixing the Vulnerability: Enforcing 2FA Authentication on Backend and Improving Frontend Authentication Request
To address this vulnerability, we recommended enforcing 2FA authentication on the backend side to disallow the re-generation of the 2FA secret if the account already had 2FA set up. Additionally, we recommended that the frontend only sends an authentication request without specifying if the user has a 2FA secret generated or not.
Conclusion: Importance of Penetration Testing and Role of Application Security Researchers
This case study highlights the importance of a thorough security assessment and the critical role that application security researchers play in identifying and addressing vulnerabilities that could put systems and sensitive data at risk.
With the increasing number of cyber-attacks targeting organizations and individuals, it is essential to implement robust security measures, including multi-factor authentication, to protect against unauthorized access and data breaches.
Organizations should prioritize regular security assessments and testing to identify vulnerabilities and implement measures to mitigate them. Furthermore, it is crucial to stay up to date with the latest security best practices and technologies to ensure the ongoing protection of sensitive information.
By taking a proactive approach to security, organizations can safeguard their systems and data from potential threats and maintain the trust of their users and customers.
Get in touch with Komodo Consulting to strengthen your security posture. We'll discuss your unique demands and build a solution that fulfills your needs within your budget.