Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Can someone explain point #9 in the gist? How’d they know part of the two factor code?


It's not a two-factor code like you're thinking of. That code is shown on the sign-in / account recovery page, to whoever making that attempt. Then the same value has to be chosen on the mobile device that's being used to authenticate that sign-in.

The goal isn't to protect against phishing or social engineering, but against people accidentally approving a sign-in they didn't initiate.


(specifically, there are "credential stuffing" style sign-in attacks where an attacker logs in "suspiciously" at the same time as a legit log in, possibly after forcing a log-out, hoping you approve both your log in and theirs when you get two, or ten pop-ups)


The attacker was going through the sign in flow on their own computer. In the MFA step, it shows you a number and asks to you press the same number on your phone.

There's a screenshot of what this looks like here: https://gist.github.com/zachlatta/f86317493654b550c689dc6509...


What I'm confused by is how they got that far, to the point that 2FA was the only thing in their way. Did they already have this user's password?




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: