While testing the Two-Factor Authentication (2FA) implementation of a web application, I discovered that i can bypass the email-based OTP verification through response manipulation

How i did that ?

First, I created a new account using an email address that I do not actually own. During registration, I noticed that no email verification was required, and the account was activated immediately.

At this point, I asked myself:

What if I try to enable 2FA on an account with an unverified email address ?

I attempted to enable Two-Factor Authentication (2FA). The application requested email verification and sent an OTP to the provided email address , I intentionally entered an invalid OTP value (000000).

I intercepted the verification request using Burp Suite, And Instead of modifying the request, I intercepted the server response.

I manually changed a server-side verification flag from: false to true

After modifying the response: The application accepted the invalid OTP , And The email was incorrectly marked as verified.

The 2FA setup process continued successfully , And The Authenticator App QR code was displayed, allowing full 2FA activation.

Impact

Attackers can enable 2FA on accounts with unverified or non-existent emails. This leads to account lockout, And leads to Pre account takeover . The vulnerability breaks the trust model of email-based OTP verification

Alhamdulilah