Hackers can Invite Collaborators Without 2FA on Programs Requiring 2FA
Medium
Vulnerability Details
**Summary:**
Hackers can invite collaborators that don't have 2FA enabled in reports sent to programs that require 2FA.
### Steps To Reproduce
1. Create a new program and enable 2FA.
2. Submit a report to that program. Create a new account without 2FA and invite that account as a collaborator to the report.
3. The new account will be able to accept the invite.
## Impact
This defeats the point of having 2FA enabled as hackers who don't have 2FA can still access the report.
Actions
View on HackerOneReport Stats
- Report ID: 2575079
- State: Closed
- Substate: duplicate
- Upvotes: 5