5500$ Bug Story - Ezzy 2FA Bypass

Summary:

A payment application requires 2FA verification by your number and email both when editing user details including name, email or phone number. I found an easy bypass for the implemented 2FA flow through which an attacker can edit the user details without his phone/email access that finally leads to an account takeover.

Steps to Reproduce:

1. Go to Edit section, start editing the email field.
2. 2FA prompt will ask you for an OTP on current email.
3. Enter the wrong OTP "123456". Intercept the response.
4. Change response from {"success":"false"} to {"success":"true"}.
5. 2FA prompt will again ask you for an OTP on current phone number.
6. Enter the wrong OTP "123456". Intercept the response.
7. Change response from {"success":"false"} to {"success":"true"}.
8. Prompt will ask you to enter email to be changed, input attacker email here.
9. Enter the OTP that came in your email inbox.
10. Refresh the dashboard, email changed.

Why It Happened?

Generally, after 2FA verification (1st HTTP request) a token is assigned and this token will be used with email change request (2nd HTTP request). Here, no such token was sent when entering OTP (in 1st HTTP response). This is a common case to check in case of multi-stage actions.

Reporting Timeline

10 May 2023 - Reported via Hackerone

11th May 2023 -  Status changed to Triaged

7th June 2023 - Retest completed 50$ and Resolved

10th June 2023 - 5000$ reward + 500$ bonus

Author: Inderjeet Singh

Hackerone: https://hackerone.com/encodedguy

Twitter: https://twitter.com/3nc0d3dGuY

Happy Hacking!!