Riot Games 2FA implementation is inherently broken: The same code can be used multiple times.
The code is also emailed to you, and email is known to be an insecure channel. You do not have the option to use your own TOTP application to generate login codes.
Riot Games responded to a report saying that the system is "working as intended"
Lesson? Phish Riot accounts. They will do nothing to stop you.
Also, HackerOne is an absolute fucking joke.
"A 2FA bypass is not a bug because you'd need to know the username and password to use it"
uhhhhh folks what do you think 2FA is for?
@r000t also uh, wait… source?
@xerz HackerOne ticket I opened this morning.
I gotta give them props for the response time, but that's it.
@xerz iknorite?
They do offer a much larger bounty for anybody who can pop vgk.sys ("Vanguard"),
But at the same time, the exact same rubric says that "Logic flaw bugs leaking or bypassing significant security controls" in "Critical Riot infrastructure (game servers, services in the game loop, Riot accounts infrastructure)" pays between $1,000-$10,000. I got zero, and told that they won't even fix the problem.
So there very well could be bugs in Vanguard, that Riot refuses to admit are bugs
@xerz FWIW, any MDM/AD domain profiles I roll out, specifically block the big "anticheat" drivers.
I get to hide behind "opaque kernel blobs bad for security lmao" and the companies get to hide behind "don't play video games on work issued equipment"
@r000t this is the company which is confident about the rootkit they require you to install in order to play their games