How I Bypassed 2 layers 2FA on a B2B Site, an Awesome experience 😐

A Tale of Response Manipulation and a Lesson in Server-Side Validation

As a bug bounty hunter, I’m always on the hunt for vulnerabilities that could compromise user security or platform integrity. Recently, I uncovered a critical flaw on a B2B business site where users can create online stores to sell products. What began as a routine test turned into a shocking discovery: I could bypass both the email and phone OTP verification steps using a simple response manipulation technique, allowing me to create an account without proving ownership of either credential. Here’s the story of how I found this vulnerability, reported it, and learned a valuable lesson about the importance of server-side validation.

Step 1: Exploring the Registration Flow

I started by navigating to the login page of the B2B business site, which offered options to sign in with Google or email . I chose “Sign in with Email” and entered a random email address I didn’t own — let’s say test@example.com. After submitting, I was prompted to enter an OTP sent to that email. Since I didn’t have access to the email, I entered a random OTP, 1111, and prepared to intercept the request using Burp Suite.

Step 2: Bypassing the Email OTP

With Burp Suite’s intercept feature enabled, I clicked “Verify OTP.” A POST request to the /store/verify-email-otp endpoint appeared in the interface. I right-clicked the request, selected “Do Intercept,” and chose “Response to this Request.” The server responded with a 400 Bad Request and a JSON payload: {“error_msg”:”Invalid OTP. Please try again.”}. This was my chance.

I modified the response to a 200 OK status and changed the JSON to {“redirect”:”https:\/\/[REDACTED]\/store\/setup”}. After turning the intercept back on and forwarding the request twice, the page redirected to the next step of the registration process. I had successfully bypassed the email OTP verification without knowing the correct code!

Step 3: Tackling the Phone OTP

The next page asked for my name, store name, and a phone number. I entered arbitrary data, including a Bangladeshi phone number +88017********, and clicked “Verify Mobile.” An OTP was supposedly sent to the phone number, and I was prompted to enter it. Again, I entered a random OTP, 1111, and intercepted the request.

The POST request went to the /store/verify-otp endpoint. I followed the same process: intercepted the response, which initially showed 400 Bad Request with {“error_msg”:”Invalid OTP. Please try again.”}. I modified it to 200 OK and changed the JSON to {“success”:”OTP verified successfully”}. After forwarding the request, the page confirmed the OTP verification.

Step 4: Completing the Registration

I was then prompted to select my user type (e.g., Creator, Business, etc.) and clicked “Continue.” To my surprise, I was redirected to the dashboard of a fully functional store. I had created an account on the B2B business site without access to the email or phone number — a critical authentication bypass vulnerability!

The Impact: Why This Matters

This vulnerability allows attackers to create accounts using any email and phone number without verifying ownership, potentially leading to account takeovers if linked to existing users. Attackers could impersonate legitimate sellers, list fraudulent products, or abuse platform features like financial transactions and customer data access. By bypassing both OTPs, the flaw critically undermines the platform’s trust and security, exposing it to significant risks.

The Lesson: Server-Side Validation Is Non-Negotiable

This experience reinforced a critical lesson in cybersecurity: never trust client-side data. The B2B business site’s reliance on client-side response handling allowed me to bypass two layers of authentication with minimal effort. Proper server-side validation would have ensured that only legitimate OTPs could proceed, preventing this vulnerability entirely.

Final Thoughts

Bug hunting is a thrilling journey of discovery, and finding a critical vulnerability like this is both rewarding and humbling. It’s a reminder of how even small oversights can lead to significant security risks, especially on platforms handling sensitive business operations.

#Happy_Hunting