This blog is all about Cyber Security and IT

Application level DoS via 2- Factor Autentication

 Overview of the impact of this Bug

Sometimes we are able to create account on website without verifying email . I found this vulnerability when i am able to create account without email verification and as soon as I login , I go to the account section and what I see is 2FA facility. Now I set my own Email in that. This led the legitimate user to not access his account even if he reset the account because of 2FA.

Attack scenario

Attacker sign up with victim email (Email verification will be sent to victim email).
Attacker able to login without verifying email.
Attacker add 2FA.


Please stop the user to get into the account until Email verification done.


Post a Comment