How Hackers Bypass Two-Factor Authentication Using CLAUDE

Added: 2026-06-01

[00:00:00]Check this out. We have a simple website which asks us to log in and we somehow figured out the password for the victim account. If I click login, it asks me to, well, send a two-factor authentication code to either my email or my phone. Now, I don't really have access to any of these because I hacked the account. So, I'm just going to click a phone and then it asks us to enter the code. I have no idea what the code is, so that won't work. In today's video, I'm going to show you how Claude can figure this out and actually break the whole website to allow us to bypass this altogether and still log in even though we do not have access to email or phone.

[00:00:32]If you don't trust me, well, watch today's video to see exactly how we're going to do that. And if you want to learn how to make cheats for basically any video game out there, including Counter-Strike 2, then I have a perfect course for you. It was made by me and is so beginner-friendly that you don't even need to know how to program to make this all happen. As you can see, I'm playing with my friends and I'm rocking them up because I have a wall hack which was made by Claude. All I found was the offsets for basically some things and there we go. You can literally make this in 5 minutes. I'm so confident that you're going to love it. Basically gave you the free offset literally on the course page to know where every player is on the map. You can copy this, verify yourself. Now, I have to tell you, please be ethical and responsible. And a lot of people tried it. Almost 320 people tried it and they all loved it.

[00:01:12]Also have a clipping software which is really good. If you want to make money from YouTube effortlessly with zero effort literally, then this is the perfect thing for you. It will literally turn any long-form video into many as many shorts as you want to in a matter of 30 seconds. And the best part, most of the software you found online is basically subscription-based. This thing is one-time purchase. You buy once and it's all yours. Check it out using the link in the description. So, how exactly is Claude going to do this? Well, there's several things we have to talk about, but basically, I'm going to say, "Please be ethical and responsible."

[00:01:44]What I'm currently teaching right now is all in the controlled bug bounty environment. And if you want to see more bug bounty content, please subscribe. We are very close to hitting 67,000, so could you please subscribe to reach help me reach that goal. So, basically, we will be Claude. And this is a two-factor authentication app which I made just before this video. Yeah, I made this.

[00:02:03]And the way we're going to do this, right, is I have the access to the back-end code. This is the whole thing, right? And basically, I'm going to copy all of this and I'm going to give it to Claude and hopefully we can find a vulnerability.

[00:02:14]So, we can select the whole thing, copy it, and go to Claude. Now, you might be wondering how exactly can I do this in real world? Well, there's many open-source projects out there and they're all offering bounty for it. So, basically, you can find a website which is open-source, you have source code for it, you can do the same thing, copy the code, give it to the Claude, and do this. So, basically, you have to tell him that this is your website.

[00:02:38]So, start with, "Hi there, this is my website. This is my website. Please help me find any bugs before it goes into production." Why am I talking this way?

[00:02:45]I have no idea. But basically, this is the way to go. So, now you can send this and hopefully hope for the best, I guess. So, there it is. This guy will analyze it and trust me, this is like really good.

[00:02:57]And here is a thorough review of your app. I found several security ranging from security issue ranging from critical security vulnerabilities to functional bugs. That's really good to hear. And there you go. We have a critical hardcoded two-factor authentication bypass. And there you go, it basically found this way. There's passwords are stored in plain text, weak hardcoded security key, either way. But this is the one which you're actually interested in.

[00:03:21]The session stores two-factor authentication token as 000 after login.

[00:03:26]Anyone who knows this value, it's in your source code, can bypass two-factor authentication entirely by sending a 000 without triggering a real send. Some default same default is stored after verification, leaving a permanent window. Interesting. So, we need to basically ask him what does this mean?

[00:03:44]Because we are an idiot and we basically want him to figure everything out for ourselves. So, basically, what does this mean?

[00:03:49]All right, good question. Let me actually walk you through.

[00:03:51]Okay, so you log in, code immediately sets these two-factor authentication on the session to 0000.

[00:03:58]You're redirected to the two-factor authentication page, which asks you to choose an email or an SMS to receive a code. That is what we saw from the introduction. After you log in, that's actually it. Then, here's the problem.

[00:04:09]You never have to click that. The two-factor just check The two-factor check compares whether you whatever you type against what's already set or 000. So, an attacker can go straight to {slash} 2FA, type 000, and they're all in. No email, no phone needed. All right, let's actually copy this. Let's go here. So, let's just I guess put it okay. And what did you tell us to put four zeros? So, I'm just going to copy this and put it. Click verify.

[00:04:35]Boom. Two-factor authentication successful. We just logged in without ever actually knowing what the code was.

[00:04:42]And there it is. Two-factor authentication successful. Your account is secure. Quote unquote. And there is your user information. That's my email, that's my phone number. And there it is.

[00:04:51]We were able to bypass the two-factor authentication with a simple prompt to Claude. I think this is pretty powerful.

[00:04:58]Now, another thing I wanted to talk about is that Claude can be used to also fix these issues. But, bear in mind that this was very, and I mean very descriptive. What you saw actually included a critical mark, the title, and including this short little description.

[00:05:13]And if you're If that's not clear, you can copy it like I did and give it to him and see what actually happens. I teach a lot about this on my bug bounty course, by the way, which you should check out as I As I found a remote code execution on Windows, I definitely feel like a trustworthy source to learn more.

[00:05:28]So, either way, this was definitely a very interesting find from Claude. But, there is one problem. We can actually ask him to fix this issue for us, and hopefully he can do that and bypass it or fix it all together. So, for all the developers, you can also fix the bugs in your code.

[00:05:44]The people who still didn't understand what was actually happening, let me explain. The thing is, after you log in on a fresh log in, if you know the password, which you do, if you know the username, which you do, the two-factor authentication is set to 000. This is the default token. This is not something that should be happening. And then, after you go to 2FA preferred, only then you're asked to update this token. And as you can see, this is where the token actually gets to randomize. As you can see, it is random choices, blah blah blah. But, under 2FA A, it basically asks you to enter the code, and once you enter the code, it checks it whether it's correct or what's set here. So, if this never happens, this is where the random token gets to be set, it will just fall back to the 000 because it will set here. So, if we never click any of these options we had here, sorry, if I just never click on any of these options like log in, oops, sorry, it will never update the code, or it will never update that token to be something else, and it can always be zero.

[00:06:42]That's a pretty interesting find. And this is the fix, or a supposed fix. So, let's copy this. Let's go back to the code, and let's update this entire thing. Let's see if this was a fix.

[00:06:53]Let's now log in, and it asks us to enter or choose any of these, but let's actually just go to 2FA again. Let's enter a four zeros, verify it, and boom, there we go. We can no longer do it. And this is the power of Claude. It can both find bugs, and it can both fix them, and it will give you the whole code. It won't give you just, "Oh, go there and fix it." So, I think this is pretty cool. Let me know in the comments what you think about it. And thank you so much for watching this video. Stay safe, stay responsible most importantly, and as always, peace.