Enable 2FA without verifying the email

Disclosed: 2019-10-25 08:13:30 By rioncool22 To moneybird

Medium

Vulnerability Details

# Description : I able to add 2FA to my account without verifying my email # Attack scenario : 1. Attacker sign up with victim email (Email verification will be sent to victim email). 2. Attacker able to login without verifying email. 3. Attacker add 2FA. ## Impact the victim can't register an account with victim email. If the victim reset the password, the password will change, but the victim can't login because 2FA.

Actions

View on HackerOne

Report Stats

Report ID: 649533
State: Closed
Substate: resolved
Upvotes: 130

Enable 2FA without verifying the email

Vulnerability Details

Actions

Report Stats

Share this report