GitHub's sudo mode feature requires re-authentication for sensitive account actions (email changes, SSH key additions, PAT creation, third-party app authorization) with a 2-hour session timeout. Users can confirm access via password, passkey, security key, GitHub Mobile, 2FA code, or social login email.
A vulnerability in Instagram allowed account reactivation without requiring 2FA verification if an attacker obtained the account credentials, despite 2FA being enabled. The issue was fixed within three weeks and awarded a $500 bounty.
A two-factor authentication bypass vulnerability in Instagram was discovered where an attacker could link a victim's 2FA-enabled account to their Facebook Business Manager account, automatically bypassing the 2FA prompt during the account linking process.
A researcher discovered a vulnerability in Instagram's authentication system that allowed enumeration of accounts with 2FA enabled, reported through Facebook's bug bounty program.
A 2FA bypass vulnerability was discovered in a password reset flow by removing the 'token' parameter from a POST request, allowing an attacker to change a user's password without providing a valid 2FA code.