Hello All,

I discovered a MFA bypass on (ISC)2’s (company behind the CISSP certification) website a few months ago and wanted to share here.

I reported the issue to (ISC)2, and they did fix it, but the issue existed for several months. The issue was caused by a misconfiguration when they changed SSO providers from Okta to Salesforce Identity.

The issue was that you could register SMS as a MFA method in the login flow, bypassing all other registered MFA methods.

If you had the person’s password, and they hadn’t already registered SMS, then you could bypass the registered MFA method (ie authenticator app code) by entering ANY phone number and registering that phone number as an additional MFA method.

Read my full report here: isc2.org Website MFA Bypass Vulnerability – Blog – GRC Academy

Here is the link to the demonstration video: https://www.youtube.com/watch?v=CPB2GFgQ0j4

After I published my report, I did get some coverage from Brian Krebs and Infosecurity Magazine!

I asked (ISC)2 if they would provide recognition for me, CPEs, or anything else, and they said NO…

The process from submission to trying to get media coverage was quite interesting! I’m happy to answer questions!

Have a great rest of the week!

Jacob Hill | https://www.linkedin.com/in/jacobrhill/