2FA Password Reset

A recent (2016) example (https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass) is a great example of authentication bypass. He was unable to receive an SMS with a code, so he opted for the provided alternative method, which involved security questions. Using a proxy, removed the parameters entirely …​ and won.

The Scenario

You are resetting your password, but doing it from a location or device that your provider does not recognize. So you need to answer the security questions you set up. The other issue is that those security questions are also stored on another device (not with you) and you don’t remember them.

You have already provided your username/email and opted for the alternative verification method.

Solution

💡 The attack on this is similar to the story referenced, but not exactly the same. 💡 You do want to tamper the security question parameters, but not delete them 💡 The logic to verify the account does expect 2 security questions to be answered, but there is a flaw in the implementation 💡 Have you tried renaming the secQuestion0 and secQuestion1 parameters?

• Open the Development Tools in the browser, and go to the Network tab.

• Click on Submit without parameters.

• Locate the query to verify-account in the Network tab and click on Edit and Resend.

• Modify the parameters secQuestion0=&secQuestion1=&jsEnabled=1&verifyMethod=SEC_QUESTIONS&userId=yourid to secQuestion2=&secQuestion3=&jsEnabled=1&verifyMethod=SEC_QUESTIONS&userId=yourid.