Kayıt Ol

Giriş

Şifremi Kaybettim

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

Giriş

Kayıt Ol

Canyoupwn.me ~

EN | Microsoft Authentication Bypass Vulnerability

Greetings,

Summary

Vulnerability allows you to confirm a phone number or mail that you own or not.  So you have bypassed the two factor authentication verification. Two-step verification must be active so leak can ocur. At the same time, the 2fa verification must be mandatory by the administrator. You can add the phone number or e-mail address to the corporate e-mail address without knowing it. This is very big in terms of computer forensic. A criminal offense may appear attached to your email address as confirmed by your phone. So you can be in a criminal position. Think that your phone number has been approved at wannacry’s email address, Hello FBI it’s not me, it’s 0day 🙂

Steps To Reproduce

Step1:

The administrator must approve a two factor authentication and request you to add the phone number from your account when logging in.

Step2:

I tried atony first through phone number. When I realized that I went on from the mail address.

Step 3:

Let us examine the outgoing request when we press the verification buton;

When I examine the outgoing post request and when I perform url decode;

All you need to do is change the phone number or mail address with Proxy. Namely;

Step4:

Got e-mail.

Step5:

Boom!

Proof of Concept

Timeline

October 10: Report Submitted
October 16: Report reviewed
October 18 – 21: Discussion
November 17: Report closed as resolved
Final: Award and hall of fame.

Thanks
Best Regards
Berk İmran

Hakkında Berk İMRAN

Cyber security researcher

Beni Takip Et