Bypassing HackerOne 2FA due to race condition.

I hope you all are doing well :)

If you are interested in older writeups , you can read them at https://medium.com/@akashhamal0x01

This writeup is about how i discovered a race condition vulnerability which allowed me to turn off 2FA of any HackerOne account. I don’t know for how long this vulnerability was present there until i noticed and reported to the team.

Here is limited disclosed report: https://hackerone.com/reports/2598548

Context: It’s important to learn the context first on how 2fa at Hackerone works.

Assuming that you have enabled 2FA into your Hackerone account, the authentication flow becomes like this:

Email + Password => ✅ => 2FA code => ✅ => Logged In.

A secure flow, i wasn’t able to find any vulnerability to skip one of the given step to bypass authentication.

How to disable 2FA?

To Disable 2FA you need to follow given steps:

1. Go to https://hackerone.com/users/sign_in and Enter your email and password

HackerOne Login Page

2. Then click on Rest two-factor authentication link

Then you will be prompted if you really want to reset 2FA of your account like this:

If you click OK then you will receive email like this:

Which means your 2FA will reset automatically in 24 hrs but you will receive alert emails about 2fa reset 4–6 times at certain interval of some hrs to remind you to cancel recovery if you didn’t initiate it to protect your account.

Let’s say if you don’t cancel the account recovery and if you login into your account after some moment , you will notice that `Reset two-factor authentication` button is disabled as shown in the image below:

Greyed about Reset 2FA link

Which means that you need to cancel the 2FA reset request to request again as its 1 time action only.

What i found out that i can race the request when i click on Reset two-factor authentication.

The HTTP request looks like this:

POST /graphql HTTP/2
Host: hackerone.com
Cookie: <COOKIES>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Gecko/20100101 Firefox/135.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://hackerone.com/users/sign_in
Content-Type: application/json
X-Csrf-Token: <CSRF TOKEN>
X-Product-Area: user-management
X-Product-Feature: signin
Content-Length: 467
Origin: https://hackerone.com
Dnt: 1
Sec-Gpc: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

{"operationName":"TwoFactorReset","variables":{"product_area":"user-management","product_feature":"signin","email":"<EMAIL>","password":"<PASSWORD>","fingerprint":"<FINGERPRINT>"},"query":"mutation TwoFactorReset($email: String!, $password: String!, $fingerprint: String!) {\n  createUserTwoFactorReset(\n    input: {email: $email, password: $password, fingerprint: $fingerprint}\n  ) {\n    success\n    __typename\n  }\n}\n"}

The mutation TwoFactorReset is responsible for initiating 2FA reset for your HackerOne account. If you race this HTTP request then you will receive multiple 2FA reset notifications like this :

Actual screenshot from the report

If you analyze the above image, you will notice that all the 2FA reset notification emails were sent 20 minutes ago so it meant the race condition worked.

But the victim will check email and cancel the account recovery because he/she didn’t initiate it so the account will be secure right? Wrong

Because if you cancel the 2FA reset request by clicking on the link then the remaining links are still active , so this means you need to click on every link to cancel account recovery to secure your account.

But this is not possible for most of users because no one is online 24/7 and the users don’t know they need to click on all links to cancel 2FA reset request to protect their account.

The Hackerone team ruled this finding as Medium Severity and rewarded me bounty :

FIX: The fix is now live in production, once a user links on any of the 2FA request cancel link then all other links are invalidated and the user is notified via email. So the user don’t need to click on every link to secure their account.

Why it occured: For each successful raced request, an email was sent to the user account making all 2FA cancel links active, If you cancel one then the others are still active.

I hope you enjoyed reading this! Thanks!