Video summary

This Simple Vulnerability Was Worth $70,000

Main summary

Key takeaways

Technology

Overview / Key takeaways

  • The video explains how a researcher (“Teflon”) earned $70,000 total from a public bug bounty program by finding two similar 2FA authentication bypasses.
  • The core theme is that the bugs are not flashy (no RCE, no XSS). Instead, the payouts came from careful observation of authentication/session behavior and repeating it against other accounts/endpoints.

Bug bounty #1: 2FA bypass via session/token behavior + replay/match-replace

Goal

Exploit two-factor authentication (2FA) as a secondary authentication bypass.

Approach

  • Use Burp Suite to intercept all requests during login.
  • After entering the correct 2FA, the app issues:

    • a session ID
    • cookies including:
      • auth2 token (noted as present after the password entry stage)
      • auth3 token (issued after successful 2FA)
  • The researcher observed that auth3 token matched the same string value pattern as auth2 token from the earlier stage—described as “very weird.”

Exploit (lab demonstration)

  • For a victim login (password known, 2FA code unknown), intercept the failed/incorrect 2FA flow.
  • Replace the response/cookie header values:
    • keep/carry the cookie issued after password entry (auth2 token)
    • overwrite the 2FA-success cookie so that auth3 token = auth2 token string
  • Forward the modified request to obtain a valid authenticated session despite not knowing the real 2FA code.

Verification note (mentioned)

  • The host clarifies the behavior is effectively match-and-replace, but it may require correct timing/data alignment for certain parameters (e.g., cookies/encoded values).

Impact / payout

  • Over $25,000 (exact amount not specified)
  • Described as “pretty significant.”

Bug bounty #2: Similar 2FA bypass pattern on related infrastructure

How it reached the extra half of the $70k

  • After bug #1, Teflon reused the idea on other endpoints/domains within the same underlying infrastructure.
  • Even though the apps/domains differed, the authentication logic patterns were similar enough to apply the technique again.

Exploit concept

  • Another 2FA bypass using the same general match-and-replace / forging token behavior.
  • The cookie names/parameters differed, but the logic was similar:
    • if validly encoded/encrypted token data is present in the expected location/parameter, the server accepts it even if it originated from a different parameter/context.
  • The key clarification: it’s not about the specific semantic data—rather, about the format/encoding/encryption matching what the server expects.

Impact / payout

  • Also a little over $25,000.

Timeline / effort

  • Total time described: about 3 months of hard, strenuous work for full-time bug bounty starting in Dec 2024.
  • First significant payout: mid-February 2025.
  • Discovery speed:
    • the first bug was found in ~15 minutes after opening the app
    • but expanding to other endpoints/environments took additional time (later found in other places within months)
  • Context about grind:
    • the host mentions Teflon (and others from the Discord) did 4–5 months of heavy grinding, including long overnight sessions—reinforcing it wasn’t a “shortcut.”

Security/industry analysis emphasized

  • Why these issues get missed:
    • 2FA bypasses are “not sexy” compared to RCE/SQLi/SSRF.
    • Many hackers ignore “boring” areas like session creation, token issuance, and cookie-to-stage mapping.
  • Key technical lesson:
    • Many apps issue multiple tokens across login stages.
    • If those tokens are re-usable/replacement-tolerant (or equivalently structured), attackers may substitute tokens and bypass the intended second step.

Tutorial/learning advice (tools + targets)

Burp Suite guidance

  • “Monitor everything in Burp Suite and hack what you know.”

Practical examples given

  • If you use TikTok, look at related domains and background requests behind the browser.
  • Try hacking Spotify if you use it (as a familiar target area).

Core method

  • Observe what changes per request, especially around authentication/session flows.

Main speakers / sources

  • Host / narrator: the YouTube channel owner (intro and lab walkthrough).
  • Guest researcher: Teflon (credited for the two 2FA bypass bugs totaling ~$70,000).
  • Mentioned as source/influence: HamSec (taught the principle to “learn the app better than the developers” through videos).

Original video