Member-only story
How a Logic Flaw Allowed Attackers to Hijack Accounts
2FA Bypass Leading to User Impersonation: A Critical Security Flaw
Introduction
Two-Factor Authentication (2FA) is a crucial security measure that adds an extra layer of protection beyond just a username and password. However, a recently disclosed vulnerability in Drugs.com demonstrated a significant flaw in the authentication system, allowing an attacker to bypass 2FA and impersonate legitimate users. This article provides a detailed breakdown of the vulnerability, how it was exploited, and the impact it could have on users.
Vulnerability Summary
A security researcher, @duk3_, identified a logic flaw in the authentication system of Drugs.com that allowed an attacker (User A) to impersonate a legitimate user (User B) who had not yet registered. The flaw exploited the email change functionality and 2FA session persistence to maintain unauthorized access to an account indefinitely.
Steps to Reproduce the Exploit
- Create an Account: The attacker registers a new account using an email they own at Drugs.com Register Page.
- Bypass 2FA with Session Trust: The attacker completes OTP verification and selects “Trust this device for 1 month,” creating a session that does not require 2FA for a month.
- Change the Email to the Victim’s: The attacker navigates to Account Details and changes the email to the victim’s (User B’s) email.
- Confirm Bypassed Authentication: The attacker logs out and back in, confirming that the application does not prompt for OTP.
- Retain Access Indefinitely:The attacker changes the email back to their own.
- Re-verifies the email through OTP.
- Changes the email back to the victim’s email.
- By repeating this process, the attacker retains access without triggering 2FA.
Victim’s Perspective: When the real owner of the email (User B) attempts to sign up, they receive a message stating that the email is already in use, even though they never created an account.
