A logic flaw was discovered in Meta's Account Center 'This wasn't me' disavow flow that could potentially be exploited for unauthorized account access or control, which Meta later patched.
A critical logic flaw in Movement Labs' full node software lacked height-based fork-choice logic, allowing two blocks at the same height with different IDs to be processed and permanently splitting the chain. The vulnerability required missing a height check in the process_block_from_da function, enabling double-spend attacks and necessitating a hard fork to resolve.
A researcher chained improper authorization with a race condition to harvest credit card details from an e-commerce checkout page. By rapidly multi-threading requests to a checkout URL while a victim submitted their payment information, the attacker could receive server responses containing full credit card and personal details before redirect, bypassing the need for form submission errors.
A logic flaw in 2FA implementation across multiple platforms (Google, Microsoft, Instagram, Cloudflare) allows an attacker to maintain persistence after password recovery by exploiting session renewal in the 2FA page and leveraging the fact that disabled 2FA codes still validate, enabling account takeover without knowing the current password.
A researcher discovered a 2FA bypass vulnerability where backup codes were not validated, allowing any random 8-digit number to successfully authenticate instead of the legitimate backup code. The vulnerability was due to missing input validation on the backup code authentication path.