Original Post: Two Factor Authentication Bypass via using Victim’s DeviceID | by cyberpro151 | Aug, 2024
In a recent write-up, cybersecurity enthusiast cyberpro151 discusses a method for bypassing Two-Factor Authentication (2FA) discovered during a penetration test. During the test, cyberpro151 found that after logging in with credentials and providing the correct OTP once, the site did not require the OTP on subsequent logins from the same browser, using a “deviceId” to track the user. This led to the realization that knowing a legitimate “deviceId” allows an attacker to bypass the OTP requirement entirely. To demonstrate, cyberpro151 swapped deviceIds between different browsers and successfully logged in without OTP. The article emphasizes the importance of testing various assumptions during security assessments, as they can lead to crucial findings. Cyberpro151 signs off the article by encouraging readers to follow them on social media and connect on LinkedIn.
Go here to read the Original Post