Two 2FA bypassing, one based on auth state not being tied to the user’s session, the other involved swapping a transaction id to trick the server into thinking the attacker’s 2FA acceptance was the victim’s.

Bug 1 If an attackers copies their sid cookie from a 2fa request and pastes it into the request made by the victim’s account it’ll send the 2fa to the attacker instead of the victim’s device.

Bug 2 The application would receive a transaction id that it would poll for the status of. If you intercept the poll and change the id so it replies with an attacker completed transaction it’ll consider the transaction accepted.