Website MFA Bypass Vulnerability

Originally published at: Website MFA Bypass Vulnerability - Blog - GRC Academy

Bottom Line Up Front I was trying to log into my account, and completely bypassed the MFA I had in place – by accident. For this vulnerability to be exploited, the following must have been in place: The attacker already compromised the user’s password The user hadn’t set up SMS (text messaging) as…

Cybersecurity reporter Brian Krebs shared my report! BrianKrebs: Here’s an interesting one for all you CISSPs out there - Infosec Exchange

James Coker of Infosecurity Magazine shared my research in an article: MFA Bypass: The Next Frontline for Security Pros - Infosecurity Magazine (

James confirmed my suspicion that the bypass was caused by a misconfiguration:

In his blog detailing his findings, Hill suggested the flaw may have been caused by an SSO upgrade that (ISC)2 made on its website on 27 July 2022. Rosso confirmed to Infosecurity that the issue arose from a human implementation error, which provided learning opportunities for the body. “That allowed us to look at our security processes to see how we can avoid these kinds of problems on the front end in the first place,” she said.

James stated that (ISC)2’s CEO Clar Rosso said there were no indicators of compromise due to the MFA bypass vulnerability.

As IT and security professionals, it is important that we test the implementation of our IT and security solutions to ensure that they are achieving the desired effect. This event is a great reminder of this.

I want to thank Clar Rosso and Jon France of (ISC)² for the bug bounty award of CPEs! Jon said that this was a “type one” report.