๐ Introduction
Hi, I'm Hasan Khan, a Web Application Penetration Security Researcher and bug bounty hunter from Bangladesh. I specialize in ethical hacking, vulnerability analysis, and dynamic application security testing. While testing the Vero platform, I discovered a High 2FA bypass vulnerability caused by session fixation.
This flaw allowed me to log in without a valid second-factor authentication code by reusing an old session token. I responsibly reported this issue to Vero's security team, and they classified it as P2 (High Severity) and rewarded me USD $300 for being the first to report it.
๐งช Steps to Reproduce
1. Login Normally
Log in to your account using your email and password. You'll be prompted to enter a 2FA code.
2. Intercept the 2FA Request
Enter any random digit as the 2FA code and intercept the request using Burp Suite.
3. Modify the Response
- Right-click the intercepted request and select "Do intercept โ Response to this request."
- Replace the response with a 302 redirect and inject your old session cookies from a previous successful login.
Here's an example of the manipulated response:
HTTP/2 302 Found
Location: https://app.getvero.com/campaigns
Set-Cookie: remember_user_token=...; secure; HttpOnly
Set-Cookie: _vero_session=...; secure; HttpOnly; SameSite=Lax4. Bypass Successful
You'll be redirected to the dashboard and fully logged in โ without a valid 2FA code.
โ ๏ธ Impact
- An attacker can bypass 2FA protection using a previously valid session token.
- Even after logging out, the old session can be reused to gain access.
- This breaks the core security model of multi-factor authentication and exposes user accounts to takeover.
โ Recommendations
To mitigate this vulnerability:
- Invalidate all previous session tokens once 2FA is triggered.
- Bind session tokens to the completion of 2FA, not just the login credentials.
- Implement strict session lifecycle management and token rotation.
๐ Responsible Disclosure & Reward
I reported this issue to Vero's security team through their responsible disclosure program. They responded promptly, classified the issue as P2 (high severity), and awarded me USD $300 for my report.
๐ฉ Here's a snippet from their response:
"You are the first to report this vulnerability. We reward P2 tickets at USD $300. Thank you for reporting this finding and for your hard work โ we absolutely appreciate it!"
๐ฏ Final Thoughts
This finding highlights how session management flaws can undermine even strong authentication systems. Developers must ensure that session tokens are tightly coupled with 2FA completion and cannot be reused across login flows.
๐ Follow With Me
If you found this writeup helpful or inspiring, follow me for more vulnerability reports, security guides, and community resources: