Published On Nov 8, 2019
This is my third finding in Avira, this bug is a broken authentication flow in their Two Step Verification System.
Impact: Multiple users can't be able to login to their accounts if the two step verification is enabled on these accounts using the same phone number.
Note: I also found another bug where I was able to bypass the two step verification process and login to these accounts without entering the passcode. (This bug is not fixed yet).
I was awarded a certificate of appreciation from Avira.
Report Timeline :
Jun 13, 2019 : Report Sent (two bugs)
Jun 14, 2019 : Report Triaged
Oct 30, 2019 : 1st bug fixed
Oct 31, 2019 : Certificate Awared
Visit my website: https://ahmadhalabi.net
Follow me on Facebook: / dragon.shaheen1
Follow me on Instagram: / ahmad_shn1