2FA requirement bypass when inviting team members

Summary:

The application requires users to enable 2FA before sending team invitations. However, this restriction can be bypassed by modifying client-side responses (match and replace from false to true). This allows invitations to be sent without enabling 2FA, defeating the security requirement.

Steps To Reproduce:

1. Sign up / log in to the application.

2. Go to the Team section.

3. Try to invite a new member → the application blocks the request, requiring 2FA.

4. Use a Burp extension ( Match and Replace) to change the client-side flag false → true.

5. Refresh the page then attempt to send an invitation again.

6. The invitation is sent successfully without enabling 2FA.

Impact

1. This bypass allows attackers to ignore the enforced security policy.

2. Reduces the effectiveness of 2FA enforcement.

3. Could allow compromised accounts to invite unauthorized users without 2FA protection.