Now that we have walked through the flow, let’s meet our attacker, Bob, who acquired Alice’s password via social engineering or other means. Bob does not have the 2FA codes that are generated in Alice’s phone, and without them, Bob should not be able to take over Alice’s account.
MyWorkApp, however, has a misconfiguration that allows more than one device to be configured for 2FA purposes. This means Alice can have 2FA set up with the same code generator running on two or more phones/devices. Bob uses this information to exploit the application in the following manner:
- Bob navigates to the login page and enters Alice’s user name and stolen password.
- Bob receives the response to this request with a URL that indicates location redirect to the VERIFY step i.e. https://myworkapp.com/2fa/verify.
- Bob intercepts this response and modifies the URL to the SETUP step. https://myworkapp.com/2fa/setup.
- The application server receives this request and prompts Bob with the QR code for 2FA setup.
- Bob scans the QR code obtained in an application in his phone.
- Now he has the 2FA code generator and can successfully use it to take over Alice’s account.