Skip to main content  >
Hackerone logo
Learn more about HackerOne
Log in
#2598548
Bypassing HackerOne 2FA due to race condition
Summary by HackerOne
A race condition vulnerability was identified in HackerOne's 2FA reset process. The issue allowed an attacker to initiate multiple parallel 2FA reset requests, resulting in multiple reset notification emails. When a user canceled one reset request, the remaining requests would stay active, potentially leading to unauthorized 2FA removal after 24 hours.
Timeline
Show older activities
 posted a comment
Updated October 30, 2024, 2:32pm UTC
 posted a comment
Updated July 12, 2024, 9:25pm UTC
 posted a comment
July 18, 2024, 2:47am UTC
HackerOne triage
 changed the status to
Pending program review
July 23, 2024, 9:45am UTC
HackerOne staff
 updated the severity to
medium (4.8)
July 25, 2024, 11:29am UTC
HackerOne staff
 changed the status to Triaged
July 25, 2024, 11:31am UTC
HackerOne staff
 posted a comment
July 25, 2024, 11:34am UTC
 posted a comment
July 25, 2024, 12:30pm UTC
 posted a comment
July 31, 2024, 12:59pm UTC
HackerOne triage
 posted a comment
August 1, 2024, 6:28am UTC
HackerOne
 rewarded akashhamal0x01 with a bounty
August 2, 2024, 8:55am UTC
HackerOne staff
 changed the status to Retesting
Updated October 29, 2024, 4:32pm UTC
Akash Hamal
ID-verifiedHacker that has successfully completed an ID verification check.
 completed a retest
Updated October 30, 2024, 2:32pm UTC
 posted a comment
October 29, 2024, 8:29pm UTC
HackerOne staff
 changed the report title
October 30, 2024, 2:19pm UTC
HackerOne
 accepted completed retest from the retester
October 30, 2024, 2:21pm UTC
HackerOne staff
 closed the report and changed the status to Resolved
October 30, 2024, 2:21pm UTC
 posted a comment
October 30, 2024, 2:23pm UTC
HackerOne staff
 requested to disclose this report
October 30, 2024, 2:48pm UTC
 agreed to disclose this report
October 30, 2024, 2:56pm UTC
 This report has been disclosed
October 30, 2024, 2:56pm UTC
 posted a comment
October 31, 2024, 10:34am UTC
 posted a comment
December 14, 2024, 7:24am UTC
HackerOne staff
 posted a comment
December 16, 2024, 2:16pm UTC
 posted a comment
February 23, 2025, 9:58am UTC
Reported on
July 12, 2024, 9:25am UTC
Reported by
Reported to
HackerOne
Managed
Participants
Report Id
#2598548
Resolved
Severity
Medium (4.8)
Disclosed
October 30, 2024, 2:56pm UTC
Weakness
Business Logic Errors
CVE ID
None
Bounty
Hidden