Two Factor Authentication Bypass
[Breaking Google Authenticator Verification of a Web Application]
Simply, multi-factor authentication is an implementation that will grant access to an application only after presenting two or more pieces of evidence to an authentication mechanism. google authenticator is a software-based authenticator that implements two-step verification using the ‘ Time based one-time password’ [TOTP]. authenticator application must be installed on a smartphone to generate TOTP for each site or web application with which it is to be used.
Once I testing a web application I found that after logging into a user account it is possible to view other user’s details such as user id, email, user type, and some other details by simply changing the user name at the URL. (/api/user-query/user-info/[USER_NAME] )
By changing the user name it is possible to view any registered user’s google authenticator secret.
By using the below python script TOTP can be generated to validate the two-step verification.
import pyotptotp = pyotp.TOTP(" GOOGLE AUTHENTICATOR SECRET ")
print ("OTP :", totp.now())
After successfully generating TOTP it is possible to bypass any registered user's two-factor authentication.
