|
|
|
|
|
|
by ReverseCold
2854 days ago
|
|
|
That's so easy to bypass. 1. Wait for user to sign in.
2. Intercept their sign in.
3. User: "Oh, it didn't work. I'll just try again."
4. User tries again and it works. Attacker is also logged in now. Alternatively, at that point you could just inject JS into whatever website needed 2FA and do everything without the user noticing anything. |
|
|