Application allows invalid MFA code unlimited number of times, may lead to brute force on compromised accounts
Expected Results
Application should limit the number of attempts with invalid MFA code and if user has made that many number of invalid attempts, User must be notified on the email for multiple MFA failures.
Browser version and OS version
Device: MacBook Pro 13 inch
Browser: Version 92.0.4515.107 (Official Build) (x86_64)
Assumptions
User has valid credentials to login and has setup 2- Step Verification on the account
Steps to Reproduce
Target URL
https://www.newegg.com/ https://secure.newegg.com/
Screenshots or Screen Capture
https://user-images.githubusercontent.com/5712602/128213435-031a4a0f-c470-46f0-8ad2-55c8b1c50736.mov
Current Results
Application allows invalid MFA code unlimited number of times, may lead to brute force on compromised accounts
Expected Results
Application should limit the number of attempts with invalid MFA code and if user has made that many number of invalid attempts, User must be notified on the email for multiple MFA failures.
Browser version and OS version