TOPMFA.md

Top MFA reports from HackerOne:

1. 2FA bypass by sending blank code to Glassdoor - 268 upvotes, $0
2. Hacker can bypass 2FA requirement and reporter blacklist through embedded submission form to HackerOne - 182 upvotes, $10000
3. TikTok 2FA Bypass to TikTok - 177 upvotes, $1564
4. Previously created sessions continue being valid after MFA activation to Grammarly - 153 upvotes, $0
5. Enable 2FA without verifying the email to Moneybird - 125 upvotes, $0
6. Password not checked when disabling 2FA on HackerOne to HackerOne - 82 upvotes, $500
7. Account takeover w/o interaction for a user that doesn't have 2fa enabled via 2fa linking and improper auth at /api/2fa/verify to Helium - 76 upvotes, $0
8. 2FA doesn't work in "https://insider.razer.com" to Razer - 72 upvotes, $200
9. Information disclosure -> 2fa bypass -> POST exploitation to Algolia - 71 upvotes, $0
10. “email” MFA mode allows bypassing MFA from victim’s device when the device trust is not expired to Grammarly - 66 upvotes, $2500
11. Changing the 2FA secret key and backup codes without knowing the 2FA OTP to HackerOne - 48 upvotes, $0
12. Missing ownership check in 2FA for secondary client login to LINE - 47 upvotes, $0
13. Two-factor authentication enforcement bypass to Nextcloud - 46 upvotes, $750
14. bypass two-factor authentication in Android apps and web to TikTok - 38 upvotes, $0
15. Two-factor authentication bypass on Grab Android App to Grab - 37 upvotes, $0
16. Disable 2FA via CSRF (Leads to 2FA Bypass) to Mail.ru - 34 upvotes, $0
17. Signup with any email and enable 2FA without verifying email to Omise - 33 upvotes, $0
18. 2FA Session not expires after the password reset to Nextcloud - 32 upvotes, $50
19. Misconfiguration in Two Factor Authorisation to Shopify - 31 upvotes, $1500
20. Bypass two-factor authentication to Slack - 29 upvotes, $500
21. Enable 2Fa verification without verifying email to Cloudflare Public Bug Bounty - 26 upvotes, $350
22. Two-factor authentication can be disabled when logged in without 2fa or password confirmation to Zivver - 24 upvotes, $0
23. Sign in with Apple works on existing accounts, bypasses 2FA to Cloudflare Public Bug Bounty - 23 upvotes, $1000
24. Bypass two-factor authentication to Cloudflare Public Bug Bounty - 23 upvotes, $250
25. Обход 2ух-шаговой авторизации / 2FA Bypass to VK.com - 19 upvotes, $1000
26. bypass of 2FA to Nextcloud - 17 upvotes, $750
27. Bypassing password authentication of users that have 2FA enabled to GitLab - 17 upvotes, $0
28. Lack of bruteforce protection for TOTP 2FA to Nextcloud - 16 upvotes, $750
29. Второй способ обхода 2FA to VK.com - 14 upvotes, $1050
30. Two Factor Authentication Bypass to Ubiquiti Inc. - 14 upvotes, $0
31. 2FA manual entry uses wrong encoding to Legal Robot - 13 upvotes, $0
32. 2FA Error Handling on Google Authenticator to Legal Robot - 12 upvotes, $0
33. Pending MFA logins aren't immediatly expired after a password change to Moneybird - 12 upvotes, $0
34. Bypassing 2FA for BTC transfers to Coinbase - 11 upvotes, $1000
35. Email Verification Bypass by bruteforcing when setting up 2FA to Evernote - 11 upvotes, $150
36. Can register any mobile number in MFA without current code. to Grammarly - 11 upvotes, $0
37. 2FA Disable With Wrong Password - Response Tampering. to 8x8 - 10 upvotes, $0
38. CSRF в получении резервных токенов+framing , приводящие к компроментации 2fa to VK.com - 9 upvotes, $500
39. Новый 2FA Bypass to VK.com - 8 upvotes, $1000
40. Обходим 2FA и/или получаем access_token, если мы когда-либо были на аккаунте жертвы to VK.com - 8 upvotes, $300
41. Rate limits too low for email 2FA to Bitwarden - 8 upvotes, $0
42. Previously created sessions continue being valid after MFA activation to CS Money - 8 upvotes, $0
43. Pre-generation of 2FA secret/backup codes seems like an unnecessary risk to HackerOne - 7 upvotes, $1000
44. Missing link to 2FA recovery code to Legal Robot - 7 upvotes, $0
45. Non-functional 2FA recovery codes to Legal Robot - 6 upvotes, $0
46. Enhancement: email confirmation for 2FA recovery to Legal Robot - 6 upvotes, $0
47. 2FA user enumeration via login to Legal Robot - 6 upvotes, $0
48. 2FA user enumeration via password reset to Legal Robot - 6 upvotes, $0
49. Missing Issuer parameter on TOTP 2FA to Legal Robot - 6 upvotes, $0
50. Brute force of a current password on a disable 2fa leads to guess password and disable 2fa. to Omise - 6 upvotes, $0
51. CSRF - Add optional two factor mobile number to Slack - 5 upvotes, $500
52. Users with 2FA can have multiple sessions to Legal Robot - 5 upvotes, $0
53. Bypass MFA requirement to send messages to Zivver - 5 upvotes, $0
54. 2FA bypass - confirmation tokens don't expire to GSA Bounty - 4 upvotes, $0
55. No rate-limit in Two factor Authentication leads to bypass using bruteforce attack to Algolia - 3 upvotes, $100
56. 2FA settings allowed to be changed with no delay/freeze on funds to Coinbase - 3 upvotes, $0
57. Missing Two Factor Authentication in /admin/login to CFP Time - 3 upvotes, $0
58. Two-factor authentication (2FA) Bypass to BlockDev Sp. Z o.o - 3 upvotes, $0
59. Able to upload backgrounds before entering 2FA to CS Money - 3 upvotes, $0
60. The authentication code when activating 2FA can be used again to log in to Shopify - 3 upvotes, $0
61. No admin audit entry for enabling/disabling 2FA to Nextcloud - 3 upvotes, $0
62. bypass two-factor authentication. to LinkedIn - 3 upvotes, $0
63. Incorrect email content when disabling 2FA to Legal Robot - 2 upvotes, $0
64. Lengthy manual entry of 2FA secret to Legal Robot - 2 upvotes, $0
65. 2FA manual entry uses wrong encoding to Legal Robot - 2 upvotes, $0
66. Bypass configured 2FA provider with another provider that can be set up at login to Nextcloud - 2 upvotes, $0
67. [h1-2006 CTF] Multiple vulnerabilities leading to account takeover and two-factor authentication bypass allows to send pending bounty payments to h1-ctf - 2 upvotes, $0
68. Two-factor authentication (via SMS) to Coinbase - 1 upvotes, $0