How I earned $$$ by bypassing 2FA

less than 1 minute read

Hi, I would like to share how I was able to bypass 2FA. This is a private program on Hackerone, so we will call it example.com.

2FA is used as another layer of security to prevent Attackers from accessing the account if the attacker stole the password.

I went to the website and enabled 2FA, then logged out and try to login again.

The website asked to enter the 2FA code and the url was like:

https://example.com/react-aspx/Authenticator.aspx

An idea came to my mind to enter the url of the dashboard directly which was like:

https://example.com/home.aspx

and I was able to bypass 2FA and access the account.

Severity: Medium

Bounty: $$$