How Disabling 2FA Could End with a Bug?
In 2023, I focused on hunting on HackerOne and found many logical flaws, resulting in achieving the 5th rank in the HackerOne program for 2023. This write-up dives into one of the bugs I discovered during this period.
Generally, My approach when working in HackerOne involves reading previously disclosed reports by other researchers to reproduce their impact by finding another exploit approach.
I was reading a disclosed report that highlighted a Race condition in claiming program credentials. The researcher discovered a bug in HackerOne by manipulating clamming credential GraphQL request, he exploited a race condition, resulting in the claiming of multiple test credentials for the same user. This could disallow other researchers from obtaining a test account since the program provides a limited number of test accounts.
Okay, at this point, I wondered how I could achieve a similar impact through a different approach. Initially, I noticed a feature in some of the HackerOne private programs which is that they require two-factor authentication to be enabled for participation.
Okay, what if I disable the 2FA?
I would be automatically removed from all programs that require 2FA to be enabled, and a new invite would be sent to me with programs that I had been removed from. However, I couldn’t accept the invite unless I re-enabled 2FA again.
Okay, what if I claim a test credential and then disable the 2FA to get removed from the program that requires 2FA to be enabled, after that I enable it again to accept the new invitation, followed by claiming a new test credential again?
Yes, it works. Here are the full steps to reproduce:
1. Claim test credentials from any program that requires 2FA to be enabled.
Claimed Credential:
Admin : password123
2. Disable 2FA from your account.
Note: You will be removed from all private programs that require 2FA to be enabled, and a new invitation will be sent to you again.
3. Enable 2FA.
4. Accept the invitation to the targeted private program.
5. Claim another test credential for the second time from the same targeted program.
Claimed Credential:
Admin : password456Note that the credentials obtained in Step 1 differ from those acquired in Step 5. Additionally, upon receiving the new credentials, the previous ones remain valid and usable.
What is the Impact?
Exploiting this flaw allows researchers to claim multiple test credentials using a single account. This could lead to disallowing other researchers from obtaining a test account since the program provides a limited number of test accounts.
Okay, for now, let's get a better understanding of the behavior of the credentials management system and the fix of the bug.
The behavior of the credentials management system:
- When a researcher leaves a private program by their own choice or is removed by program owners, any credentials they have claimed are revoked.
- If a researcher disables their own account’s 2FA, they are promptly removed from all programs that require 2FA. Additionally, following the disabling of 2FA, an automated invitation to the same private programs is sent to the researcher. (Any credentials they have already claimed are not revoked)
Regarding the fix, I have created a flowchart that outlines the fix steps involved.
Actually, I provided the HackerOne team with all of this analysis along with the suggested fix and they gave me a bonus along with the bounty for that.
