Application level DoS via 2- Factor Autentication
Overview of the impact of this Bug
Sometimes we are able to create account on website without verifying email . I found this vulnerability when i am able to create account without email verification and as soon as I login , I go to the account section and what I see is 2FA facility. Now I set my own Email in that. This led the legitimate user to not access his account even if he reset the account because of 2FA.
Attack scenario
Attacker sign up with victim email (Email verification will be sent to victim email).
Attacker able to login without verifying email.
Attacker add 2FA.
Remediation
Please stop the user to get into the account until Email verification done.
0 comments:
Post a Comment