Back
Medium · CVSS 6.4Other

2FA requirement bypass when inviting team members

hackerone-reports
hackerone-reports
March 3, 2026
0
€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3356149

Summary:

The application requires users to enable 2FA before sending team invitations. However, this restriction can be bypassed by modifying client-side responses (match and replace from false to true). This allows invitations to be sent without enabling 2FA, defeating the security requirement.

Steps To Reproduce:

  1. Sign up / log in to the application.

  2. Go to the Team section.

  3. Try to invite a new member → the application blocks the request, requiring 2FA. {F4819623}

  4. Use a Burp extension ( Match and Replace) to change the client-side flag false → true. {F4819627}

  5. Refresh the page then attempt to send an invitation again.

  6. The invitation is sent successfully without enabling 2FA. {F4819634}

Impact

  1. This bypass allows attackers to ignore the enforced security policy.

  2. Reduces the effectiveness of 2FA enforcement.

  3. Could allow compromised accounts to invite unauthorized users without 2FA protection.

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign InRegister

Discussion

No comments yet. Be the first to share your thoughts.

Log in to join the discussion.

Sign In