Starting this semester, our school requires Two-Factor Authentication via SMS or e-mail for the “student management system” of our sorts. While it sounds like a good idea, it’s not opt-in or opt-out, meaning you cannot disable it. And sometimes it takes minutes to recieve the code, something that is very annoying for a quick visit or when you don’t have much time.
Technically, it’s actually Two-Step Verification but nobody cares about the difference between the two these days, right? At least that’s what the website calls it. Anyway I didn’t really do anything fancy, it’s just common sense: Why does the website require an SMS code while the mobile app for SRS works perfectly as is. You’d expect the mobile app to get limited priviledges, an API etc. but nope, it’s just a plain HTML renderer. What does this mean is that it somehow logins to the website without using the 2FA, in fact I’m not the one bypassing it, it’s the LEGACY CODE!
Phew, that was hard, using a simple local proxy solves the mystery:
1 2 3 4 5 6 7 8 9 10 11
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Now all you have to do is
1 2 3
and use the extracted
PHPSESSID cookie on your browser of choice.