Signup with any email and enable 2FA without verifying email

Disclosed: 2020-04-23 12:35:27 By rioncool22 To omise

Medium

Vulnerability Details

##Description : When i signup, i can enable 2FA without verification my email. ##Attack Scenario : 1. The Attacker signup with the victim email. 2. Go to `Two factor authetication` and enable 2FA ## Impact when the victim want to register in this [site](https://dashboard.omise.co/), they can't, because they email claims by attacker. and if the victim reset the password to get back the email, he can, but he can't login because need 2FA code.

Actions

View on HackerOne

Report Stats

Report ID: 699200
State: Closed
Substate: resolved
Upvotes: 35

Signup with any email and enable 2FA without verifying email

Vulnerability Details

Actions

Report Stats

Share this report