3. PSA: SMS 2FA can be completely bypassed on Fidelity's website

PSA: SMS 2FA can be completely bypassed on Fidelity's website

reposting my claim of first repro of a 2fa bypass.

I had deleted my first claim, because when I tested it again it didn't work. I flushed the browser and it did work again, so some residual state gets left after login that needs to be cleared to make it work again.

I had no communication with u/illamaste-to-you on this, and it is likely not the same mechanism. I don't use ATP, either.

I don't want to drop hints. But this is all about entry points, and knowing where you want to go.

It's pretty brain dead easy. I think it reflects the overall looseness of engineering around the retail products at fidelity.

u/illamaste is correct that anyone using sms text-based 2fa should assume it's easily bypassed.

I used only my username and login, and was able to get to my positions page and place a trade. Therefore I'm confident I'm fully "logged in" from the Fidelity point of view.

I had previously tested that my enabled 2fa really worked. It did, I could only login with the text code. I actually got blocked by their bot/security detection with the standard "system error, try again later" message and switched to another browser which still worked fine.

I literally only tried 2 or 3 ideas before I found a way in (without sms 2fa, just username/pass)

/r/fidelityinvestments Thread
Previous
Next

Recently removed from /r/fidelityinvestments

Learn to be a more informed trader in just 2 hours a month w/John Gagliardi, Regional Brokerage Consultant (2 PM ET - 3 PM ET) Issue with trying to do a rollover. Who can I dm? Cmon fidelity! Can we please get access to routing through IEX . This is extremely important and I think it’s lame that y’all aren’t making this a priority. Please pass it on

More Random Comments

When I released this song it was the least watched at release and I missed out on a record deal. But you guys spread it so much to where it’s my most successful one and pursuing music without a label is now a realistic possibility. From the bottom of my heart, thank you. I owe my life to all of you Had to postpone our celebrations there but... RIP TikTok :) I’ve had a DSLR for a week and it’s been 100% therapeutic in dealing with the suicide of a friend Thoughts on Gazlowe rework? New Info - Game Master Update - Tri-Attack buffed [Serious] Who's the worst human being you've ever met? Wubba Lubba dub bub by GALENAS. (Hybrid) Justice Ruth Bader Ginsburg, Champion Of Gender Equality, Dies At 87 Supreme Court Justice Ruth Bader Ginsberg dead at 87 Sort by controversial Is being schizoid like being socially anorexic? 6250 computer networks is no joke...... Goddammit fruit flies. How do I get rid of these god damn fruit flies for good? Culture War Roundup for the Week of September 14, 2020 "It happened in Germany, so that's Germany's history."