E-mail MFA mode allows bypassing MFA from victim’s device when the device trust is not expired

While reading challenges to bypass 2FA , I came to see how l1nkworld submitted a report to Grammarly.

Aug 2nd (2 years ago)

Summary:
It is possible bypass MFA without the need to have the phone code.

Description:
When we turn on the MFA and we have the user and password of the user, it is possible bypass the MFA only changing some values the endpoint POST auth.grammarly.com//v3/api/login

Steps To Reproduce:

Note:

  • Use burp suite or another tool to intercept the requests
  1. Turn on and configure your MFA
  2. Login with your email and password
  3. The page of MFA is going to appear
  4. Enter any random number
  5. when you press the button “sign in securely” intercept the request POST auth.grammarly.com/v3/api/login and in the POST message change the fields:
    • "mode":"sms" by "mode":"email"
    • "secureLogin":true by "secureLogin":false
    • send the modification and check, you are in your account! It was not necessary to enter the phone code.

Impact

The attacker can bypass the experimental MFA, If the attacker has the email and password, the attacker can login in the account without the need of the phone code.

Write a comment