Vulnerability Summary
A vulnerability was identified where an authenticated user could disable Multi-Factor Authentication (MFA) on their own account by modifying hidden account attributes through a backend API endpoint. This allowed subsequent logins without an MFA prompt, effectively bypassing the security control and increasing the risk of unauthorized access in the event of credential compromise.
A vulnerability was identified where an authenticated user could disable Multi-Factor Authentication (MFA) on their own account by modifying hidden account attributes through a backend API endpoint. This allowed subsequent logins without an MFA prompt, effectively bypassing the security control and increasing the risk of unauthorized access in the event of credential compromise.
The application exposed a user profile update endpoint (/api/v1/user/profile) that allowed users to modify their personal information. However, the server did not properly restrict which attributes could be modified by the client.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3543475 by xavlimsg
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3020021 by adilnbabras
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3325582 by adilnbabras
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In