HackerOne: Password not checked when disabling 2FA on HackerOne
2019-05-22T17:19:54
ID H1:587910 Type hackerone Reporter tester1231233 Modified 2019-06-07T22:28:55
Description
Hi,
when I was submitted a report to a program that request 2FA ON, I notice that if you try to disable this option will ask for backup code - password and if you enter a random password in the request filed and a correct backup code it will be successfully disabled the 2FA without check if the password was correct or not.
PoC
go to your account and activate the 2FA from /settings/auth
after active this option click on Disabled icon beside Two-factor authentication.
a new window will open asking for Authentication or backup code - Password to confirm the disabled.
{F494646}
in the first box enter a valid Authentication or backup code and in the password filed enter any random/wrong password and click save.
the option will be disabled successful without check the validation of the password.
graphql Request
```json
{"query":"mutation Destroy_two_factor_authentication_credentials_mutation($input_0:DestroyTwoFactorAuthenticationCredentialsInput!,$first_1:Int!,$throttle_time_2:Int!,$first_4:Int!,$size_3:ProfilePictureSizes!) {destroyTwoFactorAuthenticationCredentials(input:$input_0) {clientMutationId,...F1,...F2}} fragment F0 on User {id,totp_supported,totp_enabled,remaining_otp_backup_code_count,account_recovery_phone_number,username,name,_profile_picturePkPpF:profile_picture(size:$size_3)} fragment F1 on DestroyTwoFactorAuthenticationCredentialsPayload {me {id,user_type,_program_health_acknowledgements2aGZgn:program_health_acknowledgements(first:$first_1,throttle_time:$throttle_time_2) {edges {node {id,reason,team_member {user {id},id,team {handle,name,sla_failed_count,id}}},cursor},pageInfo {hasNextPage,hasPreviousPage}},new_feature_notification {name,description,url,id},...F0}} fragment F2 on DestroyTwoFactorAuthenticationCredentialsPayload {me {totp_enabled,remaining_otp_backup_code_count,id},was_successful,_errors3exXYb:errors(first:$first_4) {edges {node {type,field,message,id},cursor},pageInfo {hasNextPage,hasPreviousPage}}}",
"variables":{"input_0":{"password":"██████████","otp_code":"███","clientMutationId":"9"},"first_1":1,"throttle_time_2":3600,"first_4":100,"size_3":"small"}}
```
Impact
user can disable Two-factor authentication without entering a valid password
{"id": "H1:587910", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "HackerOne: Password not checked when disabling 2FA on HackerOne", "description": "Hi,\n\nwhen I was submitted a report to a program that request `2FA` ON, I notice that if you try to disable this option will ask for `backup code - password` and if you enter a random password in the request filed and a correct `backup code` it will be successfully disabled the `2FA` without check if the password was correct or not.\n\n#PoC\n1. go to your account and activate the `2FA` from `/settings/auth`\n2. after active this option click on `Disabled` icon beside `Two-factor authentication`.\n3. a new window will open asking for `Authentication or backup code - Password` to confirm the disabled.\n{F494646}\n4. in the first box enter a valid `Authentication or backup code` and in the password filed enter any random/wrong password and click save.\n5. the option will be disabled successful without check the validation of the password.\n \n#graphql Request\n```json\n\n{\"query\":\"mutation Destroy_two_factor_authentication_credentials_mutation($input_0:DestroyTwoFactorAuthenticationCredentialsInput!,$first_1:Int!,$throttle_time_2:Int!,$first_4:Int!,$size_3:ProfilePictureSizes!) {destroyTwoFactorAuthenticationCredentials(input:$input_0) {clientMutationId,...F1,...F2}} fragment F0 on User {id,totp_supported,totp_enabled,remaining_otp_backup_code_count,account_recovery_phone_number,username,name,_profile_picturePkPpF:profile_picture(size:$size_3)} fragment F1 on DestroyTwoFactorAuthenticationCredentialsPayload {me {id,user_type,_program_health_acknowledgements2aGZgn:program_health_acknowledgements(first:$first_1,throttle_time:$throttle_time_2) {edges {node {id,reason,team_member {user {id},id,team {handle,name,sla_failed_count,id}}},cursor},pageInfo {hasNextPage,hasPreviousPage}},new_feature_notification {name,description,url,id},...F0}} fragment F2 on DestroyTwoFactorAuthenticationCredentialsPayload {me {totp_enabled,remaining_otp_backup_code_count,id},was_successful,_errors3exXYb:errors(first:$first_4) {edges {node {type,field,message,id},cursor},pageInfo {hasNextPage,hasPreviousPage}}}\",\n\"variables\":{\"input_0\":{\"password\":\"\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\",\"otp_code\":\"\u2588\u2588\u2588\",\"clientMutationId\":\"9\"},\"first_1\":1,\"throttle_time_2\":3600,\"first_4\":100,\"size_3\":\"small\"}}\n```\n\n## Impact\n\nuser can disable `Two-factor authentication` without entering a valid password", "published": "2019-05-22T17:19:54", "modified": "2019-06-07T22:28:55", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/587910", "reporter": "tester1231233", "references": [], "cvelist": [], "lastseen": "2019-06-07T22:42:10", "viewCount": 33, "enchantments": {"score": {"value": 1.3, "vector": "NONE", "modified": "2019-06-07T22:42:10", "rev": 2}, "dependencies": {"references": [], "modified": "2019-06-07T22:42:10", "rev": 2}, "vulnersScore": 1.3}, "bounty": 500.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/security", "handle": "security", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/000/013/68fea1fe00dc833f4109e015738af4b374727e56_small.png?1445331713", "medium": "https://profile-photos.hackerone-user-content.com/000/000/013/28af2ada2cc00aa9427504fc5a14f587362df84b_medium.png?1445331713"}}, "h1reporter": {"disabled": false, "username": "tester1231233", "url": "/tester1231233", "profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "is_me?": false, "hackerone_triager": false, "hacker_mediation": false}}
