Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by nexxp66 - 15.07.2026
Last edited by cbay - 15.07.2026

FS#411 - Expired Two-Factor Authentication (2FA) Code Accepted, Allowing Authentication Bypass

Description

During testing, I discovered that the application accepts an expired 2FA verification code.

After capturing the 2FA verification request, I waited until the code expired (after three code rotations). Even after expiration, replaying the same request was accepted by the server and resulted in successful authentication.

This indicates that the application does not properly validate the expiration time of 2FA verification codes.

Steps to Reproduce
Log in using a valid email address and password.
Enter the 2FA verification code.
Capture the 2FA verification request using Burp Suite.
Send the captured request to Burp Repeater.
Wait until the 2FA code has completed three rotations and is expired.
Send the request from Burp Repeater and observe a 302 Found response.
Forward the original intercepted request containing the same expired 2FA code.
Observe that the server again returns 302 Found and successfully authenticates the account.

Impact

An expired 2FA code can still be used to complete authentication, allowing an attacker who obtains an old 2FA code to bypass the intended expiration protection and gain unauthorized access to the account.

Expected Behavior

The server should reject any 2FA verification attempt using an expired code and require the user to enter a new valid code.

Actual Behavior

The server accepts a 2FA code even after it has expired and successfully authenticates the user.

Closed by  cbay
15.07.2026 13:18
Reason for closing:  Duplicate
Additional comments about closing:  

https://security.alwaysda ta.com/task/204

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing