Vulnerability Report- 2FA Code Bypass #3667
Comments
|
This is an issue with steemit/faucet, not the network itself. Also this isn't 2fa this but a email verification code. Steem fundamentally cannot support email-based 2FA. This only allows going through signup with a email that you don't control, which isn't even useful, since the signup process involves using the email you verified earlier. |
|
Thanks for the update.
So as far as I am concerned,as a security researcher I have tested this
functionality of the email verification code and it is not properly
implemented.
I can actually use other emails to sign up and use the account with that
email address,I guess that this is considered as a vulnerability? The
impact is there.
If not, what purpose does it fulfill?
…On Fri, 9 Jul 2021 at 6:31 AM, Smittyvb ***@***.***> wrote:
This is an issue with steemit/faucet <https://github.com/steemit/faucet>,
not the network itself. Also this isn't 2fa this but a email verification
code. Steem fundamentally cannot support email-based 2FA. This only allows
going through signup with a email that you don't control, which isn't even
useful, since the signup process involves using the email you verified
earlier.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#3667 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/APSWRFRUDJES6HYUYOBSTETTWZGPBANCNFSM5ABXHOJA>
.
|
|
@Phoenix202020 You cannot login with a email. You must use a username to sign in. Your email is only used during sign up. You'd only be doing yourself a disservice by signing up with a email you don't control -- the email you provide is only used for the signup process and for account recovery. |
|
I agree with smitty regarding the login, though I will re-check your
findings.
Thank you,
Emil
*KING.NET <https://king.net/>* Data is Everything.
Email: [email protected] Twitter: @KingNet ***@***.***>
*Certified: CISSP, CISM, CEH, CASP, CDPSE, **Security+, MCSE, MCSA, MCP,
CMMC-RP*
*QUE.com <http://que.com/> *Artificial Intelligence, Machine Learning,
Robotics, Cyber Security
*Yehey.com <https://yehey.com/>* a Shout for Joy - Let's discover the world
of wonder.
*MAJ.COM <https://maj.com/>* Management of Assets and Joint Ventures
*SwapToken.com <https://swaptoken.com/>* - Gateway to Blockchain Crypto
Currencies.
Whoever pursues righteousness and love finds life, prosperity and honor.
Proverbs 21:21
============================
[PROPRIETARY AND CONFIDENTIAL]
The information contained within this email (including any attachments) is
considered confidential information intended only for the use of the
individual or entity named. If the reader of the message is not the
intended recipient, you are hereby notified that any unauthorized review,
copy, disclosure, or distribution of this communication is strictly
prohibited. If you received this email message in error, please immediately
notify the sender by reply email and delete this message, and any
attachments from your system. Thank you for your cooperation.
============================
*Acknowledgement.com <https://acknowledgement.com/>* - Word of Wisdom
On Thu, Jul 8, 2021 at 10:38 PM Phoenix202020 ***@***.***>
wrote:
… Thanks for the update.
So as far as I am concerned,as a security researcher I have tested this
functionality of the email verification code and it is not properly
implemented.
I can actually use other emails to sign up and use the account with that
email address,I guess that this is considered as a vulnerability? The
impact is there.
If not, what purpose does it fulfill?
On Fri, 9 Jul 2021 at 6:31 AM, Smittyvb ***@***.***> wrote:
> This is an issue with steemit/faucet <https://github.com/steemit/faucet
>,
> not the network itself. Also this isn't 2fa this but a email verification
> code. Steem fundamentally cannot support email-based 2FA. This only
allows
> going through signup with a email that you don't control, which isn't
even
> useful, since the signup process involves using the email you verified
> earlier.
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#3667 (comment)>,
or
> unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/APSWRFRUDJES6HYUYOBSTETTWZGPBANCNFSM5ABXHOJA
>
> .
>
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#3667 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABT24TJHKBSRKIC6PORS66TTWZOJXANCNFSM5ABXHOJA>
.
|
|
Hi guys,Did you test it? I have found one more bug, to be more specific an
IDOR which is leaking sensitive information.
…On Fri, 9 Jul 2021 at 5:55 PM, EM @yehey ***@***.***> wrote:
I agree with smitty regarding the login, though I will re-check your
findings.
Thank you,
Emil
*KING.NET <https://king.net/>* Data is Everything.
Email: ***@***.*** Twitter: @KingNet ***@***.***>
*Certified: CISSP, CISM, CEH, CASP, CDPSE, **Security+, MCSE, MCSA, MCP,
CMMC-RP*
*QUE.com <http://que.com/> *Artificial Intelligence, Machine Learning,
Robotics, Cyber Security
*Yehey.com <https://yehey.com/>* a Shout for Joy - Let's discover the
world
of wonder.
*MAJ.COM <https://maj.com/>* Management of Assets and Joint Ventures
*SwapToken.com <https://swaptoken.com/>* - Gateway to Blockchain Crypto
Currencies.
Whoever pursues righteousness and love finds life, prosperity and honor.
Proverbs 21:21
============================
[PROPRIETARY AND CONFIDENTIAL]
The information contained within this email (including any attachments) is
considered confidential information intended only for the use of the
individual or entity named. If the reader of the message is not the
intended recipient, you are hereby notified that any unauthorized review,
copy, disclosure, or distribution of this communication is strictly
prohibited. If you received this email message in error, please immediately
notify the sender by reply email and delete this message, and any
attachments from your system. Thank you for your cooperation.
============================
*Acknowledgement.com <https://acknowledgement.com/>* - Word of Wisdom
On Thu, Jul 8, 2021 at 10:38 PM Phoenix202020 ***@***.***>
wrote:
> Thanks for the update.
> So as far as I am concerned,as a security researcher I have tested this
> functionality of the email verification code and it is not properly
> implemented.
> I can actually use other emails to sign up and use the account with that
> email address,I guess that this is considered as a vulnerability? The
> impact is there.
>
> If not, what purpose does it fulfill?
>
>
>
> On Fri, 9 Jul 2021 at 6:31 AM, Smittyvb ***@***.***> wrote:
>
> > This is an issue with steemit/faucet <
https://github.com/steemit/faucet
> >,
> > not the network itself. Also this isn't 2fa this but a email
verification
> > code. Steem fundamentally cannot support email-based 2FA. This only
> allows
> > going through signup with a email that you don't control, which isn't
> even
> > useful, since the signup process involves using the email you verified
> > earlier.
> >
> > —
> > You are receiving this because you authored the thread.
> > Reply to this email directly, view it on GitHub
> > <#3667 (comment)>,
> or
> > unsubscribe
> > <
>
https://github.com/notifications/unsubscribe-auth/APSWRFRUDJES6HYUYOBSTETTWZGPBANCNFSM5ABXHOJA
> >
> > .
> >
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <#3667 (comment)>,
or
> unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/ABT24TJHKBSRKIC6PORS66TTWZOJXANCNFSM5ABXHOJA
>
> .
>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3667 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/APSWRFSSK5EW3GD4WAACOSDTW3WSPANCNFSM5ABXHOJA>
.
|
|
What other sensitive information did you discover? Most of it is public
anyway.
Care to share a video with me?
Thank you,
Emil
*KING.NET <https://king.net/>* Data is Everything.
Email: [email protected] Twitter: @KingNet ***@***.***>
*Certified: CISSP, CISM, CEH, CASP, CDPSE, **Security+, MCSE, MCSA, MCP,
CMMC-RP*
*QUE.com <http://que.com/> *Artificial Intelligence, Machine Learning,
Robotics, Cyber Security
*Yehey.com <https://yehey.com/>* a Shout for Joy - Let's discover the world
of wonder.
*MAJ.COM <https://maj.com/>* Management of Assets and Joint Ventures
*SwapToken.com <https://swaptoken.com/>* - Gateway to Blockchain Crypto
Currencies.
Whoever pursues righteousness and love finds life, prosperity and honor.
Proverbs 21:21
============================
[PROPRIETARY AND CONFIDENTIAL]
The information contained within this email (including any attachments) is
considered confidential information intended only for the use of the
individual or entity named. If the reader of the message is not the
intended recipient, you are hereby notified that any unauthorized review,
copy, disclosure, or distribution of this communication is strictly
prohibited. If you received this email message in error, please immediately
notify the sender by reply email and delete this message, and any
attachments from your system. Thank you for your cooperation.
============================
*Acknowledgement.com <https://acknowledgement.com/>* - Word of Wisdom
On Sat, Jul 10, 2021 at 10:28 PM Phoenix202020 ***@***.***>
wrote:
… Hi guys,Did you test it? I have found one more bug, to be more specific an
IDOR which is leaking sensitive information.
On Fri, 9 Jul 2021 at 5:55 PM, EM @yehey ***@***.***> wrote:
> I agree with smitty regarding the login, though I will re-check your
> findings.
>
> Thank you,
> Emil
>
> *KING.NET <https://king.net/>* Data is Everything.
> Email: ***@***.*** Twitter: @KingNet ***@***.***>
> *Certified: CISSP, CISM, CEH, CASP, CDPSE, **Security+, MCSE, MCSA, MCP,
> CMMC-RP*
>
> *QUE.com <http://que.com/> *Artificial Intelligence, Machine Learning,
> Robotics, Cyber Security
> *Yehey.com <https://yehey.com/>* a Shout for Joy - Let's discover the
> world
> of wonder.
> *MAJ.COM <https://maj.com/>* Management of Assets and Joint Ventures
> *SwapToken.com <https://swaptoken.com/>* - Gateway to Blockchain Crypto
> Currencies.
>
> Whoever pursues righteousness and love finds life, prosperity and honor.
> Proverbs 21:21
> ============================
> [PROPRIETARY AND CONFIDENTIAL]
> The information contained within this email (including any attachments)
is
> considered confidential information intended only for the use of the
> individual or entity named. If the reader of the message is not the
> intended recipient, you are hereby notified that any unauthorized review,
> copy, disclosure, or distribution of this communication is strictly
> prohibited. If you received this email message in error, please
immediately
> notify the sender by reply email and delete this message, and any
> attachments from your system. Thank you for your cooperation.
> ============================
> *Acknowledgement.com <https://acknowledgement.com/>* - Word of Wisdom
>
>
>
> On Thu, Jul 8, 2021 at 10:38 PM Phoenix202020 ***@***.***>
> wrote:
>
> > Thanks for the update.
> > So as far as I am concerned,as a security researcher I have tested this
> > functionality of the email verification code and it is not properly
> > implemented.
> > I can actually use other emails to sign up and use the account with
that
> > email address,I guess that this is considered as a vulnerability? The
> > impact is there.
> >
> > If not, what purpose does it fulfill?
> >
> >
> >
> > On Fri, 9 Jul 2021 at 6:31 AM, Smittyvb ***@***.***> wrote:
> >
> > > This is an issue with steemit/faucet <
> https://github.com/steemit/faucet
> > >,
> > > not the network itself. Also this isn't 2fa this but a email
> verification
> > > code. Steem fundamentally cannot support email-based 2FA. This only
> > allows
> > > going through signup with a email that you don't control, which isn't
> > even
> > > useful, since the signup process involves using the email you
verified
> > > earlier.
> > >
> > > —
> > > You are receiving this because you authored the thread.
> > > Reply to this email directly, view it on GitHub
> > > <#3667 (comment)
>,
> > or
> > > unsubscribe
> > > <
> >
>
https://github.com/notifications/unsubscribe-auth/APSWRFRUDJES6HYUYOBSTETTWZGPBANCNFSM5ABXHOJA
> > >
> > > .
> > >
> >
> > —
> > You are receiving this because you are subscribed to this thread.
> > Reply to this email directly, view it on GitHub
> > <#3667 (comment)>,
> or
> > unsubscribe
> > <
>
https://github.com/notifications/unsubscribe-auth/ABT24TJHKBSRKIC6PORS66TTWZOJXANCNFSM5ABXHOJA
> >
> > .
> >
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#3667 (comment)>,
or
> unsubscribe
> <
https://github.com/notifications/unsubscribe-auth/APSWRFSSK5EW3GD4WAACOSDTW3WSPANCNFSM5ABXHOJA
>
> .
>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#3667 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABT24TIF74MR2VIXGJUETO3TXD6VHANCNFSM5ABXHOJA>
.
|
|
can you share you email with me? I will attach the video in the email. |
|
any updates on this? |
|
Give it up mate steemit inc is completely compromised. Consider this project abandoned |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Weakness: Violation of Secure Design Principles
Severity: Medium
Vulnerable Host: steemit.com
Summary:
I was able to Bypass the 2FA verification code through bruteforcing the code.Thus, It could be misused by an attacker to misuse other emails of your customers/users and bruteforce the verification code.
Video POC:
https://drive.google.com/file/d/1qxHfRTh0kAq0bkSsx2wVDVB3-8ze-nC8/view?usp=sharing
Impact:
Emails can be misused and the email verification code can be bypassed.
Looking forward to hear from you soon and to report further.
The text was updated successfully, but these errors were encountered: