In r/redteamsec and r/bugbounty, builders discuss MFA bypass as both an offensive focus area and a reporting and scoring challenge, including how bypasses affect all accounts and how to reason about CVSS fields.
Some of you might know me from my security research and blog posts on Medium (curtbraz.medium.com), things like phishing password managers, bypassing MFA, AI-generated phishing PoCs
I have found in most of my reports, authentication bypasses but rarely 2FA bypass, but lately I found a 2FA bypass in a login flow
I am here to ask about cvss in this case about one specific field which is “Privileges required”
A 2FA bypass affects _every account_ therefore the password requirement is represented in the Attack Complexity and not the Privileges Required metric
This finding is one of many signals tracked across Cyber Security. The live feed updates every few hours with new expert voices, debates, and emerging ideas.
← Back to Cyber Security