A logic flaw in the password reset flow allowed a complete Two-Factor Authentication (2FA) bypass. After enabling 2FA using Google Authenticator, it was possible to reset the account password and gain full access without providing any valid 2FA code, simply by skipping the 2FA step during the reset process. This vulnerability effectively renders 2FA useless and can lead to full account takeover.

Steps to Reproduce:

1. Create a new account.
2. Log in and enable Two-Factor Authentication using Google Authenticator.
3. Log out.
4. Navigate to the Reset Password page.
5. Open the password reset link received via email.
6. When prompted for the 2FA verification code, observe the Skip option.
7. Click Skip to bypass the 2FA verification step.
8. Set a new password for the account.
9. You are redirected directly to dashboard without completing any 2FA challenge.

This issue was identified and reported in a private program on Bugcrowd.

VRT: Broken Authentication and Session Management — Second Factor Authentication (2FA) Bypass (P3)

Thanks for reading!

LinkedIn: KhaledAhmed107

X: KhaledAhmed107

FB: KhaledAhmed107