Researcher bypassed 2FA on a private program by discovering that the 2FA verification endpoint did not validate the Google Captcha header (unlike the login endpoint), allowing brute-force of TOTP codes within the 59-second window using 888 threads in Burp Intruder.
A security researcher discovered a rate-limiting vulnerability in Microsoft's password reset flow that could be exploited via concurrent requests to brute-force 7-digit security codes, bypassing encryption and rate limits to enable account takeover even on accounts with 2FA enabled. Microsoft patched the vulnerability and awarded a $50,000 bounty.
Article introduces brute-force attacks against web application authentication systems as part of a web security series. Limited technical detail available from snippet alone.