How I earned $$$ by bypassing 2FA

less than 1 minute read

Hi, I would like to share how I was able to bypass 2FA. This is a private program on Hackerone, so we will call it example.com.

What is 2FA:

2FA is used as another layer of security to prevent Attackers from accessing the account if the attacker stole the password.

The Vulnerability:

I went to the website and enabled 2FA, then logged out and try to login again.

The website asked to enter the 2FA code and the url was like:

https://example.com/react-aspx/Authenticator.aspx

An idea came to my mind to enter the url of the dashboard directly which was like:

https://example.com/home.aspx

and I was able to bypass 2FA and access the account.

Severity: Medium

Bounty: $$$

Categories:

Updated: