Task 1 of 3
When "Secure" 2FA Is Just One API Call Away from Bypass
In 2022, a researcher discovered a major crypto exchange's 2FA could be completely bypassed. After entering a valid username and password, the app set a session cookie and redirected to the OTP page. The researcher noticed: what happens if I just skip the OTP page and go directly to the dashboard?
The answer: they were fully logged in. The API endpoints checked for a session cookie but never verified whether the OTP step had been completed. The 2FA was only enforced by the frontend — not the backend.
2FA BYPASS TECHNIQUES
Step Skip
After step 1 (password), call API endpoints directly. If backend only checks "session exists" not "MFA completed" — you're in.
Response Manipulation
Intercept the OTP verification response in DevTools and change false → true before the frontend processes it.
OTP Brute Force
4-digit code = 10,000 combos. With ffuf at 100 req/s and no lockout, done in under 2 minutes.
OTP Reuse
Same OTP valid for extended windows (30 min+). Previously captured OTP still works.
Direct API Access
MFA exists in the web UI flow. The mobile API or REST API has no MFA check at all.
1
Why does 2FA step-skip work when the check is only in the frontend?
Answer all 1 question to continue