Hacker "Teflon" Earns $70,000 by Exploiting 2FA Bypass Vulnerabilities in Bug Bounty Program

The hacker known as "Teflon" earned a total of $70,000 in rewards through a public bug bounty program by exploiting two authentication bypass vulnerabilities in two-factor authentication (2FA). The flaws were discovered in two separate applications of the same company, accessible via different domains. The method involved intercepting HTTP requests using Burp Suite, observing the generation of session tokens (O2 and O3 tokens), and then manipulating the responses to replace the O3 token with the O2 token, thereby enabling unauthorized access. The first vulnerability was identified in 15 minutes and earned $25,000, while the second, similar but in another application, was found five months later in just a few minutes for an equivalent amount. Teflon began full-time bug bounty hunting in December 2024 and secured their first significant reward in February 2025. Shared advice includes meticulous analysis of requests via Burp Suite and leveraging familiar applications.