WRITEUP #5563

How I abused 2FA to maintain persistence after a password change (Google, Microsoft, Instagram, Cloudflare, etc)

Logic BugLogic flawBroken authentication

byLuke Berner

Program

GoogleMicrosoftMeta / Facebook

Published

Jan 25, 2019

Added to HackDex

Sep 15, 2022

Read Full Writeuphttps://medium.com/@lukeberner/how-i-abused-2fa-to-maintain-persistence-after-a-password-change-google-microsoft-instagram-7e3f455b71a1

▸ RELATED WRITEUPS

Logic Flaw: I Can Block You from Accessing Your Own Account

Logic BugLogic flaw

“Like” Bypass on Customer Reviews — €500 bounty

Logic BugLogic flaw

Account Takeover via Broken Authentication Workflow: Free Lifetime Streaming!

Auth BypassBroken authentication

Plug Security Holes in React Apps That Can Lead to API Exploitation

Auth BypassSSO

Interesting Business Logic Error leads to Pre-Account Takeover via Verification bypass on GoogleVRP

Auth BypassAccount takeover

Built with ❤️ by Shubham Rawat