Researcher discovered a rate-limit bypass vulnerability in Microsoft's password reset flow that allowed brute-forcing 7-digit security codes through synchronized concurrent requests, enabling account takeover even with 2FA enabled. Microsoft patched the issue and awarded a $50,000 bounty.
A rate-limiting bypass vulnerability allowed attackers to brute-force Instagram account passwords through Facebook's mobile endpoint by distributing attempts across multiple test accounts created via Facebook apps, enabling up to 6 million password attempts daily instead of the intended 20 per account.
A brute-force attack vulnerability was discovered in Oculus identity verification during username changes, where the lack of rate limiting allowed an attacker to enumerate 6-digit OTP codes and distinguish valid codes from invalid ones by analyzing response length differences (840 bytes for valid, 1152 for invalid).
A 2FA bypass vulnerability where improperly implemented rate limits could be bypassed using the X-Forwarded-For HTTP header, allowing attackers to brute-force TOTP codes. The vulnerability stems from the rate limit being based on manipulable HTTP headers rather than server-side session identifiers.