- Status Closed
-
Assigned To
cbay - Private
Opened by kamrul0x - 07.12.2025
Last edited by cbay - 08.12.2025
FS#259 - 2FA Bypass via Parallel Request Replay (Multiple Valid Responses Generated From One 2FA Code)
Summary:
After enabling 2FA, during login the system asks for email, password, and then a valid 2FA code. When a valid 2FA code request is captured and sent through Burp Repeater, sending multiple parallel copies of the same request returns multiple valid 2FA responses for a single correct code. These valid responses can then be replayed at any time to bypass the 2FA challenge completely. As a result, an attacker can repeatedly access the account without entering any new 2FA code, fully bypassing the authentication layer.
Steps to Reproduce:
Enable 2FA on your account.
Log out and attempt to log in again.
Enter a valid email and password.
When the system asks for the 2FA code, enter a valid code and capture this request in Burp Suite.
Send the 2FA request to Burp Repeater and create multiple parallel copies.
Send all parallel requests simultaneously — observe that the server returns multiple valid 2FA success responses for one single valid code.
Now try logging in again: enter any invalid 2FA code.
Capture the invalid response and replace it with one of the previously captured valid parallel responses.
Forward the modified response — you will gain full account access without needing a new 2FA code.
This method works repeatedly.
Impact :
This vulnerability breaks the entire 2FA security model. By replaying the multiple valid responses generated from a single 2FA code, an attacker can repeatedly log in without providing any fresh 2FA code. This completely bypasses multi-factor authentication, rate limiting, and OTP expiration logic, allowing persistent unauthorized access to any protected account.
Note: Please don't disclose this report
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
That's just how TOTP works: there's only one single valid code every 30 seconds. It can be "reused" as many times as you want during that time window.
Kind regards,
Cyril
Hello Cyril,
I think you didn't understand the issue properly. I can use it multiple time and it's not little window i can use it 1 hour later or 1 day later or many days later it doesn't matter. If you need any POC just let me know but this is a valid issue
Hello Cyril,
I already requested you not to disclose finding.Your bug bounty policy does not state anywhere that you can disclose bugs without permission. And even though I clearly prohibited it, you still disclosed the bug — this is not expected.
Please ensure that no one else can see my report
Yes, can you please send a PoC?
Why?
Why?
Because i don't want to so please.With due respect, I will very glad if you do that.
Here is the POC. Hope you understand the issue clearly now
Please provide a PoC using curl as I don't know Burp Suite.
All reports are eventually public, as specified in the header: "Once processed, the reports are public."
This issue can't be done via curl. Since this is a race condition parallel request issue. I can guide you if you want
This issue only done via burp repeater parallel request
I believe you're mistaken. When you send multiple valid login requests, each of them succeeds and creates a unique session.
When you click on "logout" in your browser, you only log out from a single session. All of the other ones are still valid, as expected. Your PoC only shows that you reused a valid session ID in your browser.
Yes you are right but this is a valid issue. For single otp server creating multiple valid session. This is not expected behaviour from server for one valid otp it should be one valid session but for parallel request server creating multiple valid session for a single otp and by using those one by one no need new otp again. Creating multiple valid session for a single otp it’s not expected behaviour. I rewarded from multiple company for this issue also hackerone
Yes it is.
The report is definitely closed.
Please delete this ticket or task or this issue from your site.
Can you please explain why you want it private?
Hello Cyril,
This is my private method. I rewarded multiple reward for this. Your point of view this is not an issue but it’s okay. But i also rewarded from hackerone multiple program. So please delete this so no one can see this. I request to you
Hello Cyril,
Any update?
I'm sorry but your report remains public, as all reports.