Skip to content

Latest commit

 

History

History
72 lines (71 loc) · 9 KB

TOPMFA.md

File metadata and controls

72 lines (71 loc) · 9 KB
Raw

Top MFA reports from HackerOne:

  1. 2FA bypass by sending blank code to Glassdoor - 276 upvotes, $0
  2. Hacker can bypass 2FA requirement and reporter blacklist through embedded submission form to HackerOne - 186 upvotes, $10000
  3. TikTok 2FA Bypass to TikTok - 180 upvotes, $1564
  4. Previously created sessions continue being valid after MFA activation to Grammarly - 155 upvotes, $0
  5. Enable 2FA without verifying the email to Moneybird - 127 upvotes, $0
  6. Password not checked when disabling 2FA on HackerOne to HackerOne - 82 upvotes, $0
  7. Account takeover w/o interaction for a user that doesn't have 2fa enabled via 2fa linking and improper auth at /api/2fa/verify to Helium - 77 upvotes, $0
  8. 2FA doesn't work in "https://insider.razer.com" to Razer - 72 upvotes, $200
  9. Information disclosure -> 2fa bypass -> POST exploitation to Algolia - 71 upvotes, $0
  10. “email” MFA mode allows bypassing MFA from victim’s device when the device trust is not expired to Grammarly - 66 upvotes, $2500
  11. Session Doesn't expire after 2fa and also other session can change passsword to SideFX - 65 upvotes, $300
  12. Able to blocking users with 2fa from login into their accounts by just knowing the SteamID to CS Money - 53 upvotes, $300
  13. Changing the 2FA secret key and backup codes without knowing the 2FA OTP to HackerOne - 50 upvotes, $0
  14. Two-factor authentication enforcement bypass to Nextcloud - 49 upvotes, $750
  15. Missing ownership check in 2FA for secondary client login to LY Corporation - 47 upvotes, $0
  16. bypass two-factor authentication in Android apps and web to TikTok - 39 upvotes, $0
  17. Two-factor authentication bypass on Grab Android App to Grab - 38 upvotes, $0
  18. Disable 2FA via CSRF (Leads to 2FA Bypass) to Mail.ru - 34 upvotes, $0
  19. Signup with any email and enable 2FA without verifying email to Omise - 33 upvotes, $0
  20. 2FA Session not expires after the password reset to Nextcloud - 32 upvotes, $50
  21. Misconfiguration in Two Factor Authorisation to Shopify - 31 upvotes, $1500
  22. Bypass two-factor authentication to Slack - 30 upvotes, $500
  23. bypass two-factor authentication. to LinkedIn - 29 upvotes, $0
  24. Enable 2Fa verification without verifying email to Cloudflare Public Bug Bounty - 26 upvotes, $0
  25. Bypass two-factor authentication to Cloudflare Public Bug Bounty - 25 upvotes, $250
  26. Two-factor authentication can be disabled when logged in without 2fa or password confirmation to Zivver - 24 upvotes, $0
  27. Sign in with Apple works on existing accounts, bypasses 2FA to Cloudflare Public Bug Bounty - 23 upvotes, $1000
  28. Обход 2ух-шаговой авторизации / 2FA Bypass to VK.com - 19 upvotes, $1000
  29. Lack of bruteforce protection for TOTP 2FA to Nextcloud - 17 upvotes, $750
  30. Bypassing password authentication of users that have 2FA enabled to GitLab - 17 upvotes, $0
  31. bypass of 2FA to Nextcloud - 17 upvotes, $0
  32. Второй способ обхода 2FA to VK.com - 14 upvotes, $1050
  33. Two Factor Authentication Bypass to Ubiquiti Inc. - 14 upvotes, $0
  34. 2FA manual entry uses wrong encoding to Legal Robot - 13 upvotes, $0
  35. Bypassing 2FA for BTC transfers to Coinbase - 12 upvotes, $1000
  36. 2FA Error Handling on Google Authenticator to Legal Robot - 12 upvotes, $0
  37. Pending MFA logins aren't immediatly expired after a password change to Moneybird - 12 upvotes, $0
  38. Email Verification Bypass by bruteforcing when setting up 2FA to Evernote - 11 upvotes, $150
  39. Can register any mobile number in MFA without current code. to Grammarly - 11 upvotes, $0
  40. CSRF в получении резервных токенов+framing , приводящие к компроментации 2fa to VK.com - 10 upvotes, $500
  41. 2FA Disable With Wrong Password - Response Tampering. to 8x8 - 10 upvotes, $0
  42. Pre-generation of 2FA secret/backup codes seems like an unnecessary risk to HackerOne - 8 upvotes, $1000
  43. Новый 2FA Bypass to VK.com - 8 upvotes, $1000
  44. Обходим 2FA и/или получаем access_token, если мы когда-либо были на аккаунте жертвы to VK.com - 8 upvotes, $300
  45. Rate limits too low for email 2FA to Bitwarden - 8 upvotes, $0
  46. Previously created sessions continue being valid after MFA activation to CS Money - 8 upvotes, $0
  47. Missing link to 2FA recovery code to Legal Robot - 7 upvotes, $0
  48. Brute force of a current password on a disable 2fa leads to guess password and disable 2fa. to Omise - 7 upvotes, $0
  49. Non-functional 2FA recovery codes to Legal Robot - 6 upvotes, $0
  50. Enhancement: email confirmation for 2FA recovery to Legal Robot - 6 upvotes, $0
  51. 2FA user enumeration via login to Legal Robot - 6 upvotes, $0
  52. 2FA user enumeration via password reset to Legal Robot - 6 upvotes, $0
  53. Missing Issuer parameter on TOTP 2FA to Legal Robot - 6 upvotes, $0
  54. CSRF - Add optional two factor mobile number to Slack - 5 upvotes, $500
  55. Users with 2FA can have multiple sessions to Legal Robot - 5 upvotes, $0
  56. Bypass MFA requirement to send messages to Zivver - 5 upvotes, $0
  57. 2FA settings allowed to be changed with no delay/freeze on funds to Coinbase - 4 upvotes, $0
  58. 2FA bypass - confirmation tokens don't expire to GSA Bounty - 4 upvotes, $0
  59. No rate-limit in Two factor Authentication leads to bypass using bruteforce attack to Algolia - 3 upvotes, $100
  60. Missing Two Factor Authentication in /admin/login to CFP Time - 3 upvotes, $0
  61. Two-factor authentication (2FA) Bypass to BlockDev Sp. Z o.o - 3 upvotes, $0
  62. Able to upload backgrounds before entering 2FA to CS Money - 3 upvotes, $0
  63. The authentication code when activating 2FA can be used again to log in to Shopify - 3 upvotes, $0
  64. No admin audit entry for enabling/disabling 2FA to Nextcloud - 3 upvotes, $0
  65. Two-factor authentication (via SMS) to Coinbase - 2 upvotes, $0
  66. Incorrect email content when disabling 2FA to Legal Robot - 2 upvotes, $0
  67. Lengthy manual entry of 2FA secret to Legal Robot - 2 upvotes, $0
  68. 2FA manual entry uses wrong encoding to Legal Robot - 2 upvotes, $0
  69. Bypass configured 2FA provider with another provider that can be set up at login to Nextcloud - 2 upvotes, $0
  70. [h1-2006 CTF] Multiple vulnerabilities leading to account takeover and two-factor authentication bypass allows to send pending bounty payments to h1-ctf - 2 upvotes, $0