Improper Access Control - Generic (CWE-284)CVSS 4.8

2FA Bypass Despite Fix via Manual Injection of isVerifyAuth Cookie in Local Storage

March 17, 2026

75 views

Vulnerability Summary

After an initial 2FA bypass vulnerability was “fixed” by removing the isVerifyAuth cookie from local storage, the application still trusted this value if it existed.

Scenario Analysis

Upon successful login with valid credentials, users are redirected to the OTP verification page at:

example.com/customer/verify-otp

During my initial inspection using DevTools, I verified the presence of the isVerifyAuth cookie, which was previously set to false. The company had removed this cookie from local storage as part of their security patch, resulting in its absence by default.

However, the application still accepted the cookie if it was manually reintroduced.

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign In Register

Related Writeups

pyus3r

Improper Access Control on www.target.example through /services/formcampaign via header "option" leads to unauthenticated read/write on the production marketing-campaign database

An unauthenticated AEM Sling servlet exposes four CRUD operations (getData / getDataById / setData / updateData) on the internal marketing-campaign database via a single option request header. The only access control is a Referer string check that any HTTP client trivially bypasses. Anonymous attackers can read the full 79-campaign dataset (including internal segmentation logic and the names of internal prospect databases), create arbitrary new campaigns in the production backoffice, and overwrite existing real production campaigns.

Read Writeup →

hackerone-reports

POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)

HackerOne disclosed report --> https://hackerone.com/reports/3676308 by glferreira-devsecops

Read Writeup →

gpk21

LogicalBreach Academy