Vulnerability Summary
After an initial 2FA bypass vulnerability was “fixed” by removing the isVerifyAuth cookie from local storage, the application still trusted this value if it existed.
Upon successful login with valid credentials, users are redirected to the OTP verification page at:
example.com/customer/verify-otp
During my initial inspection using DevTools, I verified the presence of the isVerifyAuth cookie, which was previously set to false. The company had removed this cookie from local storage as part of their security patch, resulting in its absence by default.
However, the application still accepted the cookie if it was manually reintroduced.
pyus3rA vulnerability was identified where an authenticated user could disable Multi-Factor Authentication (MFA) on their own account by modifying hidden account attributes through a backend API endpoint. This allowed subsequent logins without an MFA prompt, effectively bypassing the security control and increasing the risk of unauthorized access in the event of credential compromise.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3543475 by xavlimsg
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3020021 by adilnbabras
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In