Legal Robot: 2FA Error Handling on Google Authenticator

2017-07-14T03:37:35
ID H1:249695
Type hackerone
Reporter japz
Modified 2017-07-31T04:23:27

Description

While searching for bugs in a recently launched 2FA feature, a security researcher discovered that client-side error handling for 2FA was incomplete and could cause confusing results for users. When 2FA failed, there was no error message returned to the client and the login progress spinner continued without interruption. Thanks to this report by @japzdivino, we found and resolved the problem.