How to bypass a 2FA with a HTTP header https://medium.com/@YumiSec/how-to-bypass-a-2fa-with-a-http-header-ce82f7927893
@angristan tl;dr a forged X-Forwarded-For header can be used to bypass rate limit for brute forcing the code
@angristan hm this is probably a bigger issue than just a bypass, if you parse the x-forwarded-for header the wrong way then clients can just lie about their source ip address. That’s problematic not just for 2fa brute force
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!