A cybersecurity researcher has discovered a business logic flaw on a crypto wallet website that can give attackers the ability to take over any victim’s wallet account.
The issue lies in the process of setting up two-factor authentication (2FA), which requires a verification code to be sent to the user’s email.
Attackers can reuse this code multiple times for the same email, allowing them to set up 2FA on any account and log in to it without the user’s password.
The only way to prevent this type of attack is to make sure that the verification code is unique each time and cannot be reused.
The researcher discovered the flaw and reported it to the company, which rewarded him with $1250 in acknowledgement of his findings and correction of the problem.