Critical 2FA Vulnerability: Reusable TOTP Codes Allow Unauthorized Access

<p> </p><p data-end="471" data-start="180">Two-factor authentication (2FA) is supposed to be one of the strongest layers of account protection. But during routine testing, I discovered a serious issue: the system allows the <strong data-end="397" data-start="361">same Google Authenticator (TOTP)</strong> code to be used <strong data-end="432" data-start="414">multiple times</strong>, even across different login sessions.</p> <p data-end="540" data-start="473">This completely breaks the “one-time” nature of one-time passwords.</p><p data-end="540" data-start="473"> </p><p data-end="540" data-start="473"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVcVUdFVCnU1lkS4LTnDkvuxYu2gG7eDnq5kHueG9Vi9RvDEcHVqXcsNBVvC4M5Z7RWa1HE5Nt06Snnls7poB9AMb1JwedK0t2xyeKpQ-9WGqRB3wCH4-aACGz0t_XHalEEyT-4REfjUuKpWbpaA80B00W_5n5Lb6dMni_G6QiMAr6TJ08aeGvJoTAKRc/s1024/Gemini_Generated_Image_th9l8hth9l8hth9l.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1024" data-original-width="1024" height="430" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVcVUdFVCnU1lkS4LTnDkvuxYu2gG7eDnq5kHueG9Vi9RvDEcHVqXcsNBVvC4M5Z7RWa1HE5Nt06Snnls7poB9AMb1JwedK0t2xyeKpQ-9WGqRB3wCH4-aACGz0t_XHalEEyT-4REfjUuKpWbpaA80B00W_5n5Lb6dMni_G6QiMAr6TJ08aeGvJoTAKRc/w430-h430/Gemini_Generated_Image_th9l8hth9l8hth9l.png" width="430" /></a></div><br /> <p></p> <hr data-end="545" data-start="542" /> <h2 data-end="574" data-start="547"><strong data-end="574" data-start="550">📌 What’s the Issue?</strong></h2> <p data-end="677" data-start="576">The system does not mark a TOTP code as “used” after successful login.<br data-end="649" data-start="646" /> Because of this, anyone can:</p> <ul data-end="838" data-start="679"><li data-end="717" data-start="679"> <p data-end="717" data-start="681">Enter the TOTP code in one browser</p> </li><li data-end="773" data-start="718"> <p data-end="773" data-start="720">Reuse the <em data-end="736" data-start="730">same</em> code in another browser or session</p> </li><li data-end="838" data-start="774"> <p data-end="838" data-start="776">Successfully log in again before the 30-second interval ends</p> </li></ul> <p data-end="917" data-start="840">This makes it possible for an attacker to replay a valid code and bypass 2FA.</p> <hr data-end="922" data-start="919" /> <h2 data-end="952" data-start="924"><strong data-end="952" data-start="927">🧪 Steps to Reproduce</strong></h2> <ol data-end="1318" data-start="954"><li data-end="993" data-start="954"> <p data-end="993" data-start="957">Enable 2FA (Google Authenticator).</p> </li><li data-end="1053" data-start="994"> <p data-end="1053" data-start="997">Open <strong data-end="1015" data-start="1002">Browser 1</strong> → log in and reach the TOTP screen.</p> </li><li data-end="1140" data-start="1054"> <p data-end="1140" data-start="1057">Open <strong data-end="1087" data-start="1062">Browser 2 / Incognito</strong> → repeat the login and reach the same TOTP screen.</p> </li><li data-end="1203" data-start="1141"> <p data-end="1203" data-start="1144">Open Google Authenticator → get the current 6-digit code.</p> </li><li data-end="1254" data-start="1204"> <p data-end="1254" data-start="1207">Enter the code in Browser 1 → login succeeds.</p> </li><li data-end="1318" data-start="1255"> <p data-end="1318" data-start="1258">Enter the <strong data-end="1281" data-start="1268">same code</strong> in Browser 2 → login succeeds again.</p> </li></ol> <p data-end="1399" data-start="1320">The TOTP is accepted twice (or more), even though it should only be valid once.</p> <hr data-end="1404" data-start="1401" /> <h2 data-end="1432" data-start="1406"><strong data-end="1432" data-start="1409">🎯 Why This Matters</strong></h2> <p data-end="1532" data-start="1434">TOTP is designed to be a <strong data-end="1471" data-start="1459">one-time</strong> password.<br data-end="1484" data-start="1481" /> If a system allows reuse, it opens the door for:</p> <ul data-end="1663" data-start="1534"><li data-end="1552" data-start="1534"> <p data-end="1552" data-start="1536">Replay attacks</p> </li><li data-end="1584" data-start="1553"> <p data-end="1584" data-start="1555">Unauthorized account access</p> </li><li data-end="1606" data-start="1585"> <p data-end="1606" data-start="1587">Session hijacking</p> </li><li data-end="1663" data-start="1607"> <p data-end="1663" data-start="1609">Increased risk when codes are intercepted or exposed</p> </li></ul> <p data-end="1745" data-start="1665">A valid TOTP code becomes far more dangerous when it can be used more than once.</p> <hr data-end="1750" data-start="1747" /> <h2 data-end="1777" data-start="1752"><strong data-end="1777" data-start="1755">🛠 Recommended Fix</strong></h2> <p data-end="1837" data-start="1779">Implement <strong data-end="1817" data-start="1789">one-time use enforcement</strong> for each TOTP code:</p> <ul data-end="2038" data-start="1839"><li data-end="1921" data-start="1839"> <p data-end="1921" data-start="1841">Once a TOTP for a specific timestamp is successfully used, store it as “used.”</p> </li><li data-end="2038" data-start="1922"> <p data-end="2038" data-start="1924">Reject any future attempt using the same timestamp/code combination—even if it’s within the same 30-second window.</p> </li></ul> <p data-end="2058" data-start="2040">In simple terms:</p> <blockquote data-end="2135" data-start="2059"> <p data-end="2135" data-start="2061"><strong data-end="2135" data-start="2061">Don’t allow the same TOTP timestamp to pass validation more than once.</strong></p> </blockquote> <hr data-end="2140" data-start="2137" /> <h2 data-end="2162" data-start="2142"><strong data-end="2162" data-start="2145">💬 Conclusion</strong></h2> <p data-end="2354" data-start="2164">This vulnerability weakens the security of an otherwise strong 2FA system. By allowing TOTP reuse, the door is left open for attackers to exploit replay attacks and gain unauthorized access.</p> <p data-end="2439" data-start="2356">Fixing this requires a straightforward change: treat each TOTP as truly <em data-end="2438" data-start="2428">one-time</em>.</p>

Critical 2FA Vulnerability: Reusable TOTP Codes Allow Unauthorized Access

  Two-factor authentication (2FA) is supposed to be one of the strongest layers of account protection. But during routine testing, I discove...

Read more »

IP Rotation Loophole That Breaks Traditional Rate Limiting

<p> </p><p data-end="596" data-start="277">Rate limiting is one of the oldest and most widely used defenses in web security. It’s supposed to help protect login forms, password-reset flows, and other sensitive endpoints from abuse. But as the internet evolves, so do the tools attackers use—and some longstanding defenses no longer hold up the way they once did.</p><p data-end="596" data-start="277"> </p><p data-end="596" data-start="277"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjV7qXKbaSawskWlOECRqG7qdufpRslL49mG3pP-Zt5Sixo_nkXaiwvuVZwAUjGo9Lol1FMo5Be_i9tFLe2VvmvSK4LAv6F4_VjjffKFtbyBhd8iWApCedmhXqBEuLXLpi47lnLgsMPbW_2lGSN3kVJaXABtk_etzbTWQzqZs0tE9VbfRQqn0gn1ajNRXM/s1024/Gemini_Generated_Image_ab516pab516pab51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1024" data-original-width="1024" height="530" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjV7qXKbaSawskWlOECRqG7qdufpRslL49mG3pP-Zt5Sixo_nkXaiwvuVZwAUjGo9Lol1FMo5Be_i9tFLe2VvmvSK4LAv6F4_VjjffKFtbyBhd8iWApCedmhXqBEuLXLpi47lnLgsMPbW_2lGSN3kVJaXABtk_etzbTWQzqZs0tE9VbfRQqn0gn1ajNRXM/w530-h530/Gemini_Generated_Image_ab516pab516pab51.png" width="530" /></a></div><br /> <p></p> <p data-end="935" data-start="598">Recently, while testing the security of a “Forgot Password” flow, I uncovered a flaw that highlights just how outdated IP-based rate limiting has become. With nothing more than basic IP rotation techniques, I was able to bypass the application’s throttling entirely and send unlimited password-reset requests to any target email address.</p> <p data-end="1094" data-start="937">This post walks through what I discovered, why it matters, and why developers need to rethink how they design defenses for critical authentication endpoints.</p> <hr data-end="1099" data-start="1096" /> <h2 data-end="1152" data-start="1101"><strong data-end="1152" data-start="1104">The Problem With IP-Based Throttling in 2025</strong></h2> <p data-end="1210" data-start="1154">Most applications today still follow a familiar pattern:</p> <ol data-end="1394" data-start="1212"><li data-end="1273" data-start="1212"> <p data-end="1273" data-start="1215">A user enters their email into the “Forgot Password” form.</p> </li><li data-end="1307" data-start="1274"> <p data-end="1307" data-start="1277">The server sends a reset link.</p> </li><li data-end="1394" data-start="1308"> <p data-end="1394" data-start="1311">To prevent abuse, the server limits how many requests can be made from the same IP.</p> </li></ol> <p data-end="1504" data-start="1396">At first glance, this seems reasonable. But in practice, attackers have countless ways to cycle through IPs:</p> <ul data-end="1730" data-start="1506"><li data-end="1533" data-start="1506"> <p data-end="1533" data-start="1508">VPNs and proxy services</p> </li><li data-end="1561" data-start="1534"> <p data-end="1561" data-start="1536">Shared hosting networks</p> </li><li data-end="1614" data-start="1562"> <p data-end="1614" data-start="1564">Cloud platforms like AWS, DigitalOcean, or Vultr</p> </li><li data-end="1678" data-start="1615"> <p data-end="1678" data-start="1617">IPv6 subnets that come with <em data-end="1656" data-start="1645">trillions</em> of unique addresses</p> </li><li data-end="1730" data-start="1679"> <p data-end="1730" data-start="1681">Botnets of compromised devices around the world</p> </li></ul> <p data-end="1835" data-start="1732">What does this mean?<br data-end="1755" data-start="1752" /> It means that IP-based rate limiting <strong data-end="1834" data-start="1792">no longer meaningfully limits anything</strong>.</p> <hr data-end="1840" data-start="1837" /> <h2 data-end="1879" data-start="1842"><strong data-end="1879" data-start="1845">What I Observed During Testing</strong></h2> <p data-end="1900" data-start="1881">My test was simple:</p> <ol data-end="2078" data-start="1902"><li data-end="1964" data-start="1902"> <p data-end="1964" data-start="1905">Submit multiple password-reset requests for the same email.</p> </li><li data-end="2047" data-start="1965"> <p data-end="2047" data-start="1968">Wait until the server returns a “too many attempts” or “rate limited” response.</p> </li><li data-end="2064" data-start="2048"> <p data-end="2064" data-start="2051">Change my IP.</p> </li><li data-end="2078" data-start="2065"> <p data-end="2078" data-start="2068">Try again.</p> </li></ol> <p data-end="2232" data-start="2080">Each time I switched IPs, the server completely reset the throttle. I was treated as a brand-new user—able to send more password-reset emails instantly.</p> <p data-end="2392" data-start="2234">It didn’t matter that I was requesting resets for the same email, in the same pattern, seconds apart. The only thing the server cared about was the client IP.</p> <p data-end="2410" data-start="2394">This meant that:</p> <ul data-end="2601" data-start="2412"><li data-end="2462" data-start="2412"> <p data-end="2462" data-start="2414">An attacker could send <em data-end="2448" data-start="2437">unlimited</em> reset emails.</p> </li><li data-end="2511" data-start="2463"> <p data-end="2511" data-start="2465">A user could be mail-bombed into submission.</p> </li><li data-end="2601" data-start="2512"> <p data-end="2601" data-start="2514">The underlying authentication endpoint could be brute-forced across thousands of IPs.</p> </li></ul> <p data-end="2728" data-start="2603">In short: the system’s main line of defense could be bypassed with a technique available to <em data-end="2703" data-start="2695">anyone</em> with a VPN subscription.</p> <hr data-end="2733" data-start="2730" /> <h2 data-end="2777" data-start="2735"><strong data-end="2777" data-start="2738">Real-World Abuse Isn’t Hypothetical</strong></h2> <p data-end="3006" data-start="2779">This kind of vulnerability has precedent. One of the most infamous examples was the 2015 Apple “Celebgate” incident, where attackers brute-forced credentials against an Apple endpoint that relied heavily on IP-based throttling.</p> <p data-end="3073" data-start="3008">The takeaway from that event—and countless others since—is clear:</p> <blockquote data-end="3164" data-start="3075"> <p data-end="3164" data-start="3077"><strong data-end="3164" data-start="3077">IP-based rate limiting is not a modern security control. It’s a speed bump at best.</strong></p> </blockquote> <p data-end="3240" data-start="3166">Yet many applications still depend on it as if it were a reliable barrier.</p> <hr data-end="3245" data-start="3242" /> <h2 data-end="3280" data-start="3247"><strong data-end="3280" data-start="3250">Why It Matters: The Impact</strong></h2> <p data-end="3343" data-start="3282">This loophole opens the door to a range of abusive behaviors:</p> <h3 data-end="3368" data-start="3345"><strong data-end="3368" data-start="3349">1. Mail Bombing</strong></h3> <p data-end="3482" data-start="3369">A malicious actor could bombard a victim’s inbox with hundreds or thousands of password-reset emails.<br data-end="3473" data-start="3470" /> This can:</p> <ul data-end="3590" data-start="3484"><li data-end="3520" data-start="3484"> <p data-end="3520" data-start="3486">overwhelm and frustrate the user</p> </li><li data-end="3556" data-start="3521"> <p data-end="3556" data-start="3523">hide legitimate security alerts</p> </li><li data-end="3590" data-start="3557"> <p data-end="3590" data-start="3559">degrade trust in the platform</p> </li></ul> <h3 data-end="3626" data-start="3592"><strong data-end="3626" data-start="3596">2. Distributed Brute Force</strong></h3> <p data-end="3799" data-start="3627">Login or reset endpoints that rely solely on IP throttling are particularly vulnerable.<br data-end="3717" data-start="3714" /> Attackers can distribute attempts across many IPs and avoid triggering any alarms.</p> <h3 data-end="3834" data-start="3801"><strong data-end="3834" data-start="3805">3. User Experience Damage</strong></h3> <p data-end="3976" data-start="3835">If users regularly receive unsolicited reset emails, they’ll perceive the platform as insecure—even if their account hasn’t been compromised.</p> <h3 data-end="4015" data-start="3978"><strong data-end="4015" data-start="3982">4. Potential Account Takeover</strong></h3> <p data-end="4150" data-start="4016">If combined with weak tokens, predictable reset flows, or other vulnerabilities, this issue could escalate to full account compromise.</p> <hr data-end="4155" data-start="4152" /> <h2 data-end="4197" data-start="4157"><strong data-end="4197" data-start="4160">Why This Is So Easy for Attackers</strong></h2> <p data-end="4256" data-start="4199">The reality is that rotating IP addresses is now trivial:</p> <ul data-end="4518" data-start="4258"><li data-end="4375" data-start="4258"> <p data-end="4375" data-start="4260">Many cloud providers offer full <em data-end="4309" data-start="4292">/64 IPv6 ranges</em>, giving attackers access to <strong data-end="4356" data-start="4338">18 quintillion</strong> addresses per VPS.</p> </li><li data-end="4442" data-start="4376"> <p data-end="4442" data-start="4378">Modern botnets contain millions of globally distributed devices.</p> </li><li data-end="4518" data-start="4443"> <p data-end="4518" data-start="4445">Proxy and VPN networks offer automated IP rotation as a standard feature.</p> </li></ul> <p data-end="4629" data-start="4520">A security control that assumes “one user = one IP” simply doesn’t reflect the state of the internet anymore.</p> <hr data-end="4634" data-start="4631" /> <h2 data-end="4692" data-start="4636"><strong data-end="4692" data-start="4639">How to Fix It: Modern Defenses That Actually Work</strong></h2> <p data-end="4841" data-start="4694">To meaningfully protect password-reset flows and similar endpoints, developers need to adopt <em data-end="4818" data-start="4787">multi-layered, identity-aware</em> mitigation strategies.</p> <p data-end="4879" data-start="4843">Here are the most effective options:</p> <h3 data-end="4910" data-start="4881"><strong data-end="4910" data-start="4885">1. CAPTCHA Challenges</strong></h3> <p data-end="5010" data-start="4911">A CAPTCHA (invisible or user-facing) prevents automated mass requests even across thousands of IPs.</p> <h3 data-end="5062" data-start="5012"><strong data-end="5062" data-start="5016">2. Rate Limiting Based on the Target Email</strong></h3> <p data-end="5152" data-start="5063">Instead of only limiting per-IP, also limit how often <strong data-end="5131" data-start="5117">each email</strong> can receive a reset.</p> <h3 data-end="5195" data-start="5154"><strong data-end="5195" data-start="5158">3. Behavioral and Velocity Checks</strong></h3> <p data-end="5212" data-start="5196">Look beyond IPs:</p> <ul data-end="5311" data-start="5213"><li data-end="5237" data-start="5213"> <p data-end="5237" data-start="5215">browser fingerprints</p> </li><li data-end="5258" data-start="5238"> <p data-end="5258" data-start="5240">request velocity</p> </li><li data-end="5289" data-start="5259"> <p data-end="5289" data-start="5261">unusual patterns or bursts</p> </li><li data-end="5311" data-start="5290"> <p data-end="5311" data-start="5292">device reputation</p> </li></ul> <h3 data-end="5353" data-start="5313"><strong data-end="5353" data-start="5317">4. Honeypots or Invisible Fields</strong></h3> <p data-end="5442" data-start="5354">Bots often fill fields humans never touch—this is an easy way to detect automated abuse.</p> <h3 data-end="5479" data-start="5444"><strong data-end="5479" data-start="5448">5. Abuse Detection Services</strong></h3> <p data-end="5641" data-start="5480">Modern WAFs (Web Application Firewalls) and anti-bot platforms use IP reputation, machine learning, and behavioral signals that far outperform raw IP throttling.</p> <h3 data-end="5665" data-start="5643"><strong data-end="5665" data-start="5647">6. User Alerts</strong></h3> <p data-end="5754" data-start="5666">Notify users when multiple reset attempts occur. Visibility itself is a form of defense.</p>

IP Rotation Loophole That Breaks Traditional Rate Limiting

  Rate limiting is one of the oldest and most widely used defenses in web security. It’s supposed to help protect login forms, password-rese...

Read more »