#Discord told me on #HackerOne that this isn't a security #vulnerability, so cool, I'll talk about it publicly.
You can disable 2FA¹ on another person's account if you get access to their phone momentarily.
All you have to do is create a new account and put their phone number in as the login; if you verify the code, it strips it from the other account with no warning, and they can't take it back.
So have fun I guess?
¹ SMS is not #2FA
#infosec
Jason Parker (he/they) /
npub1re…amq7d
2024-09-21 15:33:04
Author Public Key
npub1re49l7uznmsuxchckysh23gd7qcrm33qlkzttqulxzwth9jwh7rq0amq7dPublished at
2024-09-21 15:33:04Event JSON
{
"id": "c929ff758eff11eaba2dc86d573a7d7f11c0d08164f437710531c9b9f27d86fe",
"pubkey": "1e6a5ffb829ee1c362f8b12175450df0303dc620fd84b5839f309cbb964ebf86",
"created_at": 1726932784,
"kind": 1,
"tags": [
[
"t",
"2fa"
],
[
"t",
"hackerone"
],
[
"t",
"infosec"
],
[
"proxy",
"https://xn--8r9a.com/@north/113176266989879989",
"web"
],
[
"t",
"vulnerability"
],
[
"t",
"discord"
],
[
"proxy",
"https://xn--8r9a.com/users/north/statuses/113176266989879989",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://xn--8r9a.com/users/north/statuses/113176266989879989",
"pink.momostr"
],
[
"-"
]
],
"content": "#Discord told me on #HackerOne that this isn't a security #vulnerability, so cool, I'll talk about it publicly.\n\nYou can disable 2FA¹ on another person's account if you get access to their phone momentarily.\n\nAll you have to do is create a new account and put their phone number in as the login; if you verify the code, it strips it from the other account with no warning, and they can't take it back.\n\nSo have fun I guess?\n\n¹ SMS is not #2FA\n\n#infosec",
"sig": "c8acad687561f79567c4518a303e6f6976eedc01c1ccced2cdeb0c72677c53cd8e7b2afa7b6fbab376e8f56a2bca0809dfa18c83629789696acaf0f0a1e88622"
}