In r/bugbounty, a recurring pattern is MFA enabled on web but not enforced on mobile; responders recommend structured validation and session/cookie replay to prove impact, with severity hinging on whether a fresh login truly skips the second factor.
I found a bug where if you set a MFA on your account, only the web application enforce it. But the mobile application doesn't enforce it you just log in.
Um intercept the app traffic. Once login is done and you’re able to use mobile app, then copy the cookies of mobile app and try it in burp with regular web browser interception.
Once the cookies are injected and you’re able to browse web app normally, then change the MFA or remove it.
Key question is whether the app is doing a trusted device style enrollment, or if it truly lets a fresh login skip the second factor entirely.
If a new device with only username and password gets a fully authenticated session, that is an MFA bypass.
This finding is one of many signals tracked across Cyber Security. The live feed updates every few hours with new expert voices, debates, and emerging ideas.
← Back to Cyber Security