Morning of Sunday 18th of April after playing video game I decided to make a quick hunt on one of the bug bounty program that I found on Google. So I fired up some of my favorite recon tools to gather information from the website and while the tools are doing their things I registered my email on the website to test on the login and reset password page. After few checks on the login page I decided to enable the 2FA verification on my account to check if there is an issue on the 2FA feature and fortunately found an interesting one.
So long story short I found a 2FA verification bypass on Shapeshift which allow me access an account with 2FA enabled without giving the correct 2FA code during the login procedure. The vulnerability is easy to reproduce, A simple tampering of one of the value of the parameters in the 2FA verification request able me to bypass the feature due to lack of authentication of the app.
So below is the proof of concept of the issue.
--Proof of Concept--
Dear Evan,Thank you for reaching out to the ShapeShift security team! Unfortunately, we haven’t yet been able to confirm this issue. Would you be willing to double check that 2FA Verification Bypass Vulnerability truly exists?Thank you again. It’s people like you who make the Internet a safer place!ShapeShift Security Team
Dear Evan,Thank you sending more videos. We checked this issue and the security team already been made aware of this issue by another researcher. For your reference, here is the tracking number for this issue: VULN-<XXXX>.We are currently working with that researcher to resolve the issue.Thanks for taking the time to report a vulnerability to ShapeShift. It’s because of researchers like you that the web is a little bit safer.Have a wonderful day!ShapeShift Security Team
I hope you enjoy this write up.
Stay safe everyone!