2FA Bypass Grants Full Dashboard Without Verification Step

After password login the user reaches the merchant dashboard without completing the 2FA challenge, bypassing the second factor.

Target: European Payment Gateway
Category: Auth Bypass
Channel: Responsible Disclosure
Disclosed: 2026-04

Redaction note

Vendor identity withheld.

This finding is documented here as part of MemCyber’s public disclosure record. The vendor has been anonymized to a sector and region descriptor. Full technical detail — including root cause, reproducible proof-of-concept, remediation guidance, and vendor attribution where granted — is available to qualified prospects under NDA.

Coordinated disclosure

How we handled it.

Reported to the vendor via Responsible Disclosure with a reproducible proof-of-concept.
Triage + remediation window coordinated with the vendor security team.
Fix verified before any public reference.
This record published only after the embargo period closed.

2FA Bypass Grants Full Dashboard Without Verification Step

Vendor identity withheld.

How we handled it.

Complete API Authentication Bypass (ALL 66 Endpoints)

back-office OAuth Registration Bypass -> 2.33M Transaction Data Breach

Production Widget Uses Dev-Login Backdoor + Commented Access Key

Want the full technical detail?