How I bypassed 2FA of the Top Cryptocurrency Company

Ashish Dhone
2 min readMay 5, 2020

Introduction

This article is a write up on how I found a 2FA Bypass vulnerability at one of the Top Cryptocurrency Company, no matter your account is blocked or not this bypass works and you are into the account!!

What is Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds an extra layer of security to your online accounts by asking for verification code after you sign in with your email address and password.

The verification code is generated by an application on your smartphone. To gain access to your account a potential attacker would need your email address, your password, as well as your phone.

Vulnerability exploitation

So this time my target was a Cryptocurrency company, Sorry I can't disclose the name of the company as it was as Private Program !!

This was an Android Application so I started my Emulator installed the application and started hunting for bugs. After some time I came across “Pin Code” which was asked every time when a user tries to log in to the account !!

I opened my burpsuite and started looking for the response after successfully validating the Pin Code.

  1. When a user login with correct Pin Code following response was made,

HTTP/1.1 202 Accepted

{“status”:1,”valid”:true,”message”:”success”}

2. When a user login with incorrect Pin code following response was made,

HTTP/1.1 401 Unauthorized

{“status”:0,”valid”:false,”message”:”You have been blocked due to many attempts”}

As I have tried multiple times that's why my account was blocked still I was able to bypass the functionality !!

As you can see above when you try with incorrect Pin Code,

“status”:0

”valid”:false

What I did here was just to change the

“status”:1

”valid”:true

As soon as I changed the response with 1 and true the request was accepted and even though my account was blocked and the Pin Code was incorrect I was able to log in to my account and I was like,

So I wrote a nice report and submitted to them and I was Acknowledged and rewarded with $$$.

Happy to Secure and one more added to the list :) !!

If you need any help or want to connect, you can connect with me via Linkedin at https://in.linkedin.com/in/ashish-dhone-640489135

I hope it will help you with your bug hunting !!

Thanks for Reading !!

./Keep_Hacking

Ashish Dhone

Written by Ashish Dhone

668 Followers

Top 120 in the World at Google Hacker’s Ranking & Best Bug Hunter of the Year 2021 | Cyber CounterIntelligence | SRT | CEH | CEH Master | CHFI | CVE x 4