TL;DR: Waiting in the 2FA page could allow you to log in without knowing the current password in many major websites.

This is a logic flaw vulnerability I initially found in Google, and then tested in other top companies (such as Microsoft, Instagram, Cloudflare, etc) to find out they were vulnerable as well.

1) The initial bug

It all started with the idea that, being 2FA newer than most login flows, it would have to be implemented by different teams at different times (in some cases, probably years apart).

As any project involving multiple teams, communication is hindered and coordination can be impacted.

So… what happens if you try to change something in the process, like changing your password, while being in the process of logging in, let’s say in the 2FA login page? …

Luke Berner

Security Engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store