How Attackers Can Hijack Accounts Using Outdated Passwords and 2FA Backup Codes
Introduction
You’d think that once a user changes their password, old credentials become useless. But what if I told you that even after the password is updated, you can still log in?
In this write-up, I’ll walk you through an Improper Authentication flaw I discovered in Basecamp, where a previously valid backup 2FA response could be reused to bypass new credentials — giving attackers ghost access to accounts.
Let’s break it down.
Vulnerability Summary
- Type: Improper Authentication
- Impact: Account Takeover even after password change
- Target: Basecamp
- Reported by: fuzzsqlb0f
- HackerOne Report ID: 1485788
- POC: Video attached to report
Steps to Reproduce
The exploit involves a sequence of actions by both the attacker and the victim, as detailed in the original report. Below is a clear breakdown of the steps:
- Attacker Knows Victim’s Password and Logs In