Top MFA reports from HackerOne:
- 2FA bypass by sending blank code to Glassdoor - 276 upvotes, $0
- Hacker can bypass 2FA requirement and reporter blacklist through embedded submission form to HackerOne - 186 upvotes, $10000
- TikTok 2FA Bypass to TikTok - 180 upvotes, $1564
- Previously created sessions continue being valid after MFA activation to Grammarly - 155 upvotes, $0
- Enable 2FA without verifying the email to Moneybird - 127 upvotes, $0
- Password not checked when disabling 2FA on HackerOne to HackerOne - 82 upvotes, $0
- Account takeover w/o interaction for a user that doesn't have 2fa enabled via 2fa linking and improper auth at /api/2fa/verify to Helium - 77 upvotes, $0
- 2FA doesn't work in "https://insider.razer.com" to Razer - 72 upvotes, $200
- Information disclosure -> 2fa bypass -> POST exploitation to Algolia - 71 upvotes, $0
- “email” MFA mode allows bypassing MFA from victim’s device when the device trust is not expired to Grammarly - 66 upvotes, $2500
- Session Doesn't expire after 2fa and also other session can change passsword to SideFX - 65 upvotes, $300
- Able to blocking users with 2fa from login into their accounts by just knowing the SteamID to CS Money - 53 upvotes, $300
- Changing the 2FA secret key and backup codes without knowing the 2FA OTP to HackerOne - 50 upvotes, $0
- Two-factor authentication enforcement bypass to Nextcloud - 49 upvotes, $750
- Missing ownership check in 2FA for secondary client login to LY Corporation - 47 upvotes, $0
- bypass two-factor authentication in Android apps and web to TikTok - 39 upvotes, $0
- Two-factor authentication bypass on Grab Android App to Grab - 38 upvotes, $0
- Disable 2FA via CSRF (Leads to 2FA Bypass) to Mail.ru - 34 upvotes, $0
- Signup with any email and enable 2FA without verifying email to Omise - 33 upvotes, $0
- 2FA Session not expires after the password reset to Nextcloud - 32 upvotes, $50
- Misconfiguration in Two Factor Authorisation to Shopify - 31 upvotes, $1500
- Bypass two-factor authentication to Slack - 30 upvotes, $500
- bypass two-factor authentication. to LinkedIn - 29 upvotes, $0
- Enable 2Fa verification without verifying email to Cloudflare Public Bug Bounty - 26 upvotes, $0
- Bypass two-factor authentication to Cloudflare Public Bug Bounty - 25 upvotes, $250
- Two-factor authentication can be disabled when logged in without 2fa or password confirmation to Zivver - 24 upvotes, $0
- Sign in with Apple works on existing accounts, bypasses 2FA to Cloudflare Public Bug Bounty - 23 upvotes, $1000
- Обход 2ух-шаговой авторизации / 2FA Bypass to VK.com - 19 upvotes, $1000
- Lack of bruteforce protection for TOTP 2FA to Nextcloud - 17 upvotes, $750
- Bypassing password authentication of users that have 2FA enabled to GitLab - 17 upvotes, $0
- bypass of 2FA to Nextcloud - 17 upvotes, $0
- Второй способ обхода 2FA to VK.com - 14 upvotes, $1050
- Two Factor Authentication Bypass to Ubiquiti Inc. - 14 upvotes, $0
- 2FA manual entry uses wrong encoding to Legal Robot - 13 upvotes, $0
- Bypassing 2FA for BTC transfers to Coinbase - 12 upvotes, $1000
- 2FA Error Handling on Google Authenticator to Legal Robot - 12 upvotes, $0
- Pending MFA logins aren't immediatly expired after a password change to Moneybird - 12 upvotes, $0
- Email Verification Bypass by bruteforcing when setting up 2FA to Evernote - 11 upvotes, $150
- Can register any mobile number in MFA without current code. to Grammarly - 11 upvotes, $0
- CSRF в получении резервных токенов+framing , приводящие к компроментации 2fa to VK.com - 10 upvotes, $500
- 2FA Disable With Wrong Password - Response Tampering. to 8x8 - 10 upvotes, $0
- Pre-generation of 2FA secret/backup codes seems like an unnecessary risk to HackerOne - 8 upvotes, $1000
- Новый 2FA Bypass to VK.com - 8 upvotes, $1000
- Обходим 2FA и/или получаем access_token, если мы когда-либо были на аккаунте жертвы to VK.com - 8 upvotes, $300
- Rate limits too low for email 2FA to Bitwarden - 8 upvotes, $0
- Previously created sessions continue being valid after MFA activation to CS Money - 8 upvotes, $0
- Missing link to 2FA recovery code to Legal Robot - 7 upvotes, $0
- Brute force of a current password on a disable 2fa leads to guess password and disable 2fa. to Omise - 7 upvotes, $0
- Non-functional 2FA recovery codes to Legal Robot - 6 upvotes, $0
- Enhancement: email confirmation for 2FA recovery to Legal Robot - 6 upvotes, $0
- 2FA user enumeration via login to Legal Robot - 6 upvotes, $0
- 2FA user enumeration via password reset to Legal Robot - 6 upvotes, $0
- Missing Issuer parameter on TOTP 2FA to Legal Robot - 6 upvotes, $0
- CSRF - Add optional two factor mobile number to Slack - 5 upvotes, $500
- Users with 2FA can have multiple sessions to Legal Robot - 5 upvotes, $0
- Bypass MFA requirement to send messages to Zivver - 5 upvotes, $0
- 2FA settings allowed to be changed with no delay/freeze on funds to Coinbase - 4 upvotes, $0
- 2FA bypass - confirmation tokens don't expire to GSA Bounty - 4 upvotes, $0
- No rate-limit in Two factor Authentication leads to bypass using bruteforce attack to Algolia - 3 upvotes, $100
- Missing Two Factor Authentication in /admin/login to CFP Time - 3 upvotes, $0
- Two-factor authentication (2FA) Bypass to BlockDev Sp. Z o.o - 3 upvotes, $0
- Able to upload backgrounds before entering 2FA to CS Money - 3 upvotes, $0
- The authentication code when activating 2FA can be used again to log in to Shopify - 3 upvotes, $0
- No admin audit entry for enabling/disabling 2FA to Nextcloud - 3 upvotes, $0
- Two-factor authentication (via SMS) to Coinbase - 2 upvotes, $0
- Incorrect email content when disabling 2FA to Legal Robot - 2 upvotes, $0
- Lengthy manual entry of 2FA secret to Legal Robot - 2 upvotes, $0
- 2FA manual entry uses wrong encoding to Legal Robot - 2 upvotes, $0
- Bypass configured 2FA provider with another provider that can be set up at login to Nextcloud - 2 upvotes, $0
- [h1-2006 CTF] Multiple vulnerabilities leading to account takeover and two-factor authentication bypass allows to send pending bounty payments to h1-ctf - 2 upvotes, $0