While reading challenges to bypass 2FA , I came to see how l1nkworld submitted a report to Grammarly.
It is possible bypass MFA without the need to have the phone code.
When we turn on the MFA and we have the user and password of the user, it is possible bypass the MFA only changing some values the endpoint POST
Steps To Reproduce:
- Use burp suite or another tool to intercept the requests
- Turn on and configure your MFA
- Login with your email and password
- The page of MFA is going to appear
- Enter any random number
- when you press the button “sign in securely” intercept the request POST
auth.grammarly.com/v3/api/login and in the POST message change the fields:
- send the modification and check, you are in your account! It was not necessary to enter the phone code.
The attacker can bypass the experimental MFA, If the attacker has the email and password, the attacker can login in the account without the need of the phone code.