Skip to content

Critical Vulnerability Exposed: The Risk of Reusable OTPs in Two-Factor Authentication

Original Post: The Weak Link in Two-Factor Authentication: Exploiting Reusable OTPs | by Tusharpuri | Sep, 2024

The article describes a penetration tester’s recent experience discovering a significant security flaw in an application’s OTP (One-Time Password) authentication mechanism. Here’s a summary of the key points:

  1. Overview: The tester was examining an application’s authentication process, which typically requires entering an email and password, receiving an OTP via email, and using the OTP to complete the login.

  2. Discovery: During the test, it was noted that the server’s response to OTP verification not only issued a JWT token but also exposed sensitive user data, like full name, email, and phone number.

  3. Exploration:

    • Brute-force attempts on passwords and email-password combinations were unsuccessful due to strong password policies and account lockouts.
    • Focus shifted to the OTP mechanism. GUI constraints prevented bypassing the password directly to use OTP.
    • Using Caido to intercept network traffic revealed that replaying previously used OTPs allowed access, bypassing the authentication process.
  4. Exploitation:

    • The tester found that OTPs could be reused even from different machines, indicating a critical vulnerability.
    • A script was created to automate the attack: inputting a valid email, brute-forcing the OTP, reusing it to log in, and hijacking accounts.
  5. Impact: This vulnerability allowed attackers to compromise any user account, view personal information, and maintain access through JWT tokens.

  6. Recommendations:
    • OTP Expiration: OTPs should expire immediately after use to prevent reuse.
    • Rate Limiting: Implement strict rate limits on OTP entries to mitigate brute-force attacks.
    • Data Exposure: Avoid including sensitive personal information in authentication responses.
    • Combined Validation: Ensure OTPs are always validated in combination with the user’s password during final requests, ensuring both factors are required simultaneously.

The article underscores the critical importance of properly managing OTP mechanisms to safeguard user accounts and sensitive data.

Go here to read the Original Post

Leave a Reply

Your email address will not be published. Required fields are marked *