Vulnerability Report- 2FA Code Bypass

[Phoenix202020]

Weakness: Violation of Secure Design Principles

Severity: Medium

Vulnerable Host: steemit.com

Summary:

I was able to Bypass the 2FA verification code through bruteforcing the code.Thus, It could be misused by an attacker to misuse other emails of your customers/users and bruteforce the verification code.

Video POC:

https://drive.google.com/file/d/1qxHfRTh0kAq0bkSsx2wVDVB3-8ze-nC8/view?usp=sharing

Impact:

Emails can be misused and the email verification code can be bypassed.

Looking forward to hear from you soon and to report further.

[syvb]

This is an issue with steemit/faucet, not the network itself. Also this isn't 2fa this but a email verification code. Steem fundamentally cannot support email-based 2FA. This only allows going through signup with a email that you don't control, which isn't even useful, since the signup process involves using the email you verified earlier.

[Phoenix202020]

Thanks for the update. So as far as I am concerned,as a security researcher I have tested this functionality of the email verification code and it is not properly implemented. I can actually use other emails to sign up and use the account with that email address,I guess that this is considered as a vulnerability? The impact is there. If not, what purpose does it fulfill?

…

On Fri, 9 Jul 2021 at 6:31 AM, Smittyvb ***@***.***> wrote: This is an issue with steemit/faucet <https://github.com/steemit/faucet>, not the network itself. Also this isn't 2fa this but a email verification code. Steem fundamentally cannot support email-based 2FA. This only allows going through signup with a email that you don't control, which isn't even useful, since the signup process involves using the email you verified earlier. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#3667 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/APSWRFRUDJES6HYUYOBSTETTWZGPBANCNFSM5ABXHOJA> .

[syvb]

@Phoenix202020 You cannot login with a email. You must use a username to sign in. Your email is only used during sign up. You'd only be doing yourself a disservice by signing up with a email you don't control -- the email you provide is only used for the signup process and for account recovery.

[KINGdotNET]

I agree with smitty regarding the login, though I will re-check your findings. Thank you, Emil *KING.NET <https://king.net/>* Data is Everything. Email: EM@KING.NET Twitter: @KingNet ***@***.***> *Certified: CISSP, CISM, CEH, CASP, CDPSE, **Security+, MCSE, MCSA, MCP, CMMC-RP* *QUE.com <http://que.com/> *Artificial Intelligence, Machine Learning, Robotics, Cyber Security *Yehey.com <https://yehey.com/>* a Shout for Joy - Let's discover the world of wonder. *MAJ.COM <https://maj.com/>* Management of Assets and Joint Ventures *SwapToken.com <https://swaptoken.com/>* - Gateway to Blockchain Crypto Currencies. Whoever pursues righteousness and love finds life, prosperity and honor. Proverbs 21:21 ============================ [PROPRIETARY AND CONFIDENTIAL] The information contained within this email (including any attachments) is considered confidential information intended only for the use of the individual or entity named. If the reader of the message is not the intended recipient, you are hereby notified that any unauthorized review, copy, disclosure, or distribution of this communication is strictly prohibited. If you received this email message in error, please immediately notify the sender by reply email and delete this message, and any attachments from your system. Thank you for your cooperation. ============================ *Acknowledgement.com <https://acknowledgement.com/>* - Word of Wisdom On Thu, Jul 8, 2021 at 10:38 PM Phoenix202020 ***@***.***> wrote:

…

Thanks for the update. So as far as I am concerned,as a security researcher I have tested this functionality of the email verification code and it is not properly implemented. I can actually use other emails to sign up and use the account with that email address,I guess that this is considered as a vulnerability? The impact is there. If not, what purpose does it fulfill? On Fri, 9 Jul 2021 at 6:31 AM, Smittyvb ***@***.***> wrote: > This is an issue with steemit/faucet <https://github.com/steemit/faucet >, > not the network itself. Also this isn't 2fa this but a email verification > code. Steem fundamentally cannot support email-based 2FA. This only allows > going through signup with a email that you don't control, which isn't even > useful, since the signup process involves using the email you verified > earlier. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <#3667 (comment)>, or > unsubscribe > < https://github.com/notifications/unsubscribe-auth/APSWRFRUDJES6HYUYOBSTETTWZGPBANCNFSM5ABXHOJA > > . > — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#3667 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABT24TJHKBSRKIC6PORS66TTWZOJXANCNFSM5ABXHOJA> .

[Phoenix202020]

Hi guys,Did you test it? I have found one more bug, to be more specific an IDOR which is leaking sensitive information.

…

On Fri, 9 Jul 2021 at 5:55 PM, EM @yehey ***@***.***> wrote: I agree with smitty regarding the login, though I will re-check your findings. Thank you, Emil *KING.NET <https://king.net/>* Data is Everything. Email: ***@***.*** Twitter: @KingNet ***@***.***> *Certified: CISSP, CISM, CEH, CASP, CDPSE, **Security+, MCSE, MCSA, MCP, CMMC-RP* *QUE.com <http://que.com/> *Artificial Intelligence, Machine Learning, Robotics, Cyber Security *Yehey.com <https://yehey.com/>* a Shout for Joy - Let's discover the world of wonder. *MAJ.COM <https://maj.com/>* Management of Assets and Joint Ventures *SwapToken.com <https://swaptoken.com/>* - Gateway to Blockchain Crypto Currencies. Whoever pursues righteousness and love finds life, prosperity and honor. Proverbs 21:21 ============================ [PROPRIETARY AND CONFIDENTIAL] The information contained within this email (including any attachments) is considered confidential information intended only for the use of the individual or entity named. If the reader of the message is not the intended recipient, you are hereby notified that any unauthorized review, copy, disclosure, or distribution of this communication is strictly prohibited. If you received this email message in error, please immediately notify the sender by reply email and delete this message, and any attachments from your system. Thank you for your cooperation. ============================ *Acknowledgement.com <https://acknowledgement.com/>* - Word of Wisdom On Thu, Jul 8, 2021 at 10:38 PM Phoenix202020 ***@***.***> wrote: > Thanks for the update. > So as far as I am concerned,as a security researcher I have tested this > functionality of the email verification code and it is not properly > implemented. > I can actually use other emails to sign up and use the account with that > email address,I guess that this is considered as a vulnerability? The > impact is there. > > If not, what purpose does it fulfill? > > > > On Fri, 9 Jul 2021 at 6:31 AM, Smittyvb ***@***.***> wrote: > > > This is an issue with steemit/faucet < https://github.com/steemit/faucet > >, > > not the network itself. Also this isn't 2fa this but a email verification > > code. Steem fundamentally cannot support email-based 2FA. This only > allows > > going through signup with a email that you don't control, which isn't > even > > useful, since the signup process involves using the email you verified > > earlier. > > > > — > > You are receiving this because you authored the thread. > > Reply to this email directly, view it on GitHub > > <#3667 (comment)>, > or > > unsubscribe > > < > https://github.com/notifications/unsubscribe-auth/APSWRFRUDJES6HYUYOBSTETTWZGPBANCNFSM5ABXHOJA > > > > . > > > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#3667 (comment)>, or > unsubscribe > < https://github.com/notifications/unsubscribe-auth/ABT24TJHKBSRKIC6PORS66TTWZOJXANCNFSM5ABXHOJA > > . > — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3667 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/APSWRFSSK5EW3GD4WAACOSDTW3WSPANCNFSM5ABXHOJA> .

[KINGdotNET]

What other sensitive information did you discover? Most of it is public anyway. Care to share a video with me? Thank you, Emil *KING.NET <https://king.net/>* Data is Everything. Email: EM@KING.NET Twitter: @KingNet ***@***.***> *Certified: CISSP, CISM, CEH, CASP, CDPSE, **Security+, MCSE, MCSA, MCP, CMMC-RP* *QUE.com <http://que.com/> *Artificial Intelligence, Machine Learning, Robotics, Cyber Security *Yehey.com <https://yehey.com/>* a Shout for Joy - Let's discover the world of wonder. *MAJ.COM <https://maj.com/>* Management of Assets and Joint Ventures *SwapToken.com <https://swaptoken.com/>* - Gateway to Blockchain Crypto Currencies. Whoever pursues righteousness and love finds life, prosperity and honor. Proverbs 21:21 ============================ [PROPRIETARY AND CONFIDENTIAL] The information contained within this email (including any attachments) is considered confidential information intended only for the use of the individual or entity named. If the reader of the message is not the intended recipient, you are hereby notified that any unauthorized review, copy, disclosure, or distribution of this communication is strictly prohibited. If you received this email message in error, please immediately notify the sender by reply email and delete this message, and any attachments from your system. Thank you for your cooperation. ============================ *Acknowledgement.com <https://acknowledgement.com/>* - Word of Wisdom On Sat, Jul 10, 2021 at 10:28 PM Phoenix202020 ***@***.***> wrote:

…

Hi guys,Did you test it? I have found one more bug, to be more specific an IDOR which is leaking sensitive information. On Fri, 9 Jul 2021 at 5:55 PM, EM @yehey ***@***.***> wrote: > I agree with smitty regarding the login, though I will re-check your > findings. > > Thank you, > Emil > > *KING.NET <https://king.net/>* Data is Everything. > Email: ***@***.*** Twitter: @KingNet ***@***.***> > *Certified: CISSP, CISM, CEH, CASP, CDPSE, **Security+, MCSE, MCSA, MCP, > CMMC-RP* > > *QUE.com <http://que.com/> *Artificial Intelligence, Machine Learning, > Robotics, Cyber Security > *Yehey.com <https://yehey.com/>* a Shout for Joy - Let's discover the > world > of wonder. > *MAJ.COM <https://maj.com/>* Management of Assets and Joint Ventures > *SwapToken.com <https://swaptoken.com/>* - Gateway to Blockchain Crypto > Currencies. > > Whoever pursues righteousness and love finds life, prosperity and honor. > Proverbs 21:21 > ============================ > [PROPRIETARY AND CONFIDENTIAL] > The information contained within this email (including any attachments) is > considered confidential information intended only for the use of the > individual or entity named. If the reader of the message is not the > intended recipient, you are hereby notified that any unauthorized review, > copy, disclosure, or distribution of this communication is strictly > prohibited. If you received this email message in error, please immediately > notify the sender by reply email and delete this message, and any > attachments from your system. Thank you for your cooperation. > ============================ > *Acknowledgement.com <https://acknowledgement.com/>* - Word of Wisdom > > > > On Thu, Jul 8, 2021 at 10:38 PM Phoenix202020 ***@***.***> > wrote: > > > Thanks for the update. > > So as far as I am concerned,as a security researcher I have tested this > > functionality of the email verification code and it is not properly > > implemented. > > I can actually use other emails to sign up and use the account with that > > email address,I guess that this is considered as a vulnerability? The > > impact is there. > > > > If not, what purpose does it fulfill? > > > > > > > > On Fri, 9 Jul 2021 at 6:31 AM, Smittyvb ***@***.***> wrote: > > > > > This is an issue with steemit/faucet < > https://github.com/steemit/faucet > > >, > > > not the network itself. Also this isn't 2fa this but a email > verification > > > code. Steem fundamentally cannot support email-based 2FA. This only > > allows > > > going through signup with a email that you don't control, which isn't > > even > > > useful, since the signup process involves using the email you verified > > > earlier. > > > > > > — > > > You are receiving this because you authored the thread. > > > Reply to this email directly, view it on GitHub > > > <#3667 (comment) >, > > or > > > unsubscribe > > > < > > > https://github.com/notifications/unsubscribe-auth/APSWRFRUDJES6HYUYOBSTETTWZGPBANCNFSM5ABXHOJA > > > > > > . > > > > > > > — > > You are receiving this because you are subscribed to this thread. > > Reply to this email directly, view it on GitHub > > <#3667 (comment)>, > or > > unsubscribe > > < > https://github.com/notifications/unsubscribe-auth/ABT24TJHKBSRKIC6PORS66TTWZOJXANCNFSM5ABXHOJA > > > > . > > > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#3667 (comment)>, or > unsubscribe > < https://github.com/notifications/unsubscribe-auth/APSWRFSSK5EW3GD4WAACOSDTW3WSPANCNFSM5ABXHOJA > > . > — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#3667 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABT24TIF74MR2VIXGJUETO3TXD6VHANCNFSM5ABXHOJA> .

[Phoenix202020]

can you share you email with me? I will attach the video in the email.

[Phoenix202020]

any updates on this?

[Phoenix202020]

@KINGdotNET

[ausbitbank]

Give it up mate steemit inc is completely compromised. Consider this project abandoned