Information disclosure -> 2fa bypass -> POST exploitation

Greetings! So i was testing algolia.com. Impressed to find out that there are mitigations in place to prevent POST exploitation such as : When 2fa is enabled we need "old password" to update following things : - To update the password - To disable the 2fa, etc (might more more....) And we need 2fa codes to do following actions : - To change email - To download recovery codes - To delete account, etc (might be more...) So given these security checks, even if an account is compromised ( attacker don't know password or have access to 2fa or anything but only access to account) For example, just consider a scene that the victim is using your website in cyber cafe and forgets to for example logout. So the attacker will check all functionalities to make victims account his/her but provided that he/she needs to have either access to 2fa or know password then he/she will be helpless. So now attacker starts to find vulnerabilities in website! So here i found that the "gauth_secret" is potentially leaked in response (which is not normal and is unnecesarry to leak), which means that the attacker who got access to the account can take advantage of this information leakage , use that "gauth_secret" value in authenticator app and then bypass the checks by providing the correct codes! So this way an attacker can bypass authentication and execute critical actions like : - updating mail , deleting acc , etc # Steps to reproduction : first login into algolia.com and then - Go to "https://www.algolia.com/account/support" - There will be 2 buttons : "Revoke" and "Renew", click on "Renew" and intercept that request using proxy like burp suite - Now send that request to repeater and forward that request - In repeater, replay the request and check response and look for "gauth_secret" and then copy the value of that key - download google authenticator app and then paste it , then it will show the codes - Now u can execute actions as you know the 2fa codes now! ## Impact Since there are checks implemented for every critical action , i think the leakage of "gauth_secret" here let attacker bypass those checks by knowing 2fa So now the attacker can delete account, update email and do much more critical actions and totally compromise victims account Solution : Don't leak the gauth_secret in response