Post by yawnbox <img src="https://minio-api.thedoodleproject.net:443/takahe/emoji/disobey.net/rebel.png" class="emoji" alt="Emoji rebel">

ourselves.space

176d

#Discord told me on #HackerOne that this isn't a security #vulnerability, so cool, I'll talk about it publicly.

You can disable 2FA¹ on another person's account if you get access to their phone momentarily.

All you have to do is create a new account and put their phone number in as the login; if you verify the code, it strips it from the other account with no warning, and they can't take it back.

So have fun I guess?

¹ SMS is not #2FA

#infosec

Edited 176d ago

2 0 1 View Post & Replies See Original

175d

@north
i've been dying on the "sms is not 2fa" hill for 9 years now

0 0 0 View Post & Replies See Original