Bypassing Current Password
This post is about how I bypassed current password during enabling of 2fa in a h1 private program So lets come to the details I went to the settings page and navigated to the 2fa section It asked me to enter current password , I entered a random password and intercepted the request with BURP .The request looks like below OST /v1/otp/provision HTTP/1.1 Host: private.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://www.private.com/account-settings/2fa authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzZXNzaW9uX2lkIjoiSzdvSzlxTmZUcFotTVpPUURkVm11LTVRaFdHZmxIQkciLCJ1c2VyX2lkIjoieWtyNlQ1Q1hXZ2l1bDRmdnZNak5meXdIQTlHdlp2T0oiLCJ0ZWFtX2lkIjoiOTl4dzhOa3BxQkdSY2J3ejV5WXlMSUVpbVQ4R3ZPOUwiLCJuZWVkc19vdHAiOmZhbHNlLCJyZWFkX29ubHkiOmZhbHNlLCJoYXNfY29udHJhY3QiOmZhbHNlLCJlbnRpdGxlbWVudHM...