March 2026 Medium

Missing 2FA on KYC Identity Changes

How a crypto exchange allowed users to change their verified identity documents without requiring two-factor authentication.

The Target

A cryptocurrency exchange that requires KYC (Know Your Customer) verification before users can trade or withdraw funds. Users must submit government-issued ID documents and complete facial verification during onboarding.

What Is KYC?

KYC is the identity verification process that financial platforms use to comply with anti-money laundering (AML) regulations. Once a user is verified, their identity is tied to their account — it's the foundation of trust between the platform and the user.

The Vulnerability

While testing the account settings, I found that the platform allowed users to re-submit their KYC documents — essentially changing the verified identity attached to the account. This is sometimes legitimate (name changes, expired documents), but the critical issue was how the platform handled the authorization.

1

No 2FA Required: Changing the KYC identity — the most sensitive operation on a financial platform — did not require two-factor authentication. If an attacker gained access to a user's session (through session hijacking, XSS, or credential stuffing), they could immediately change the account's identity.

2

No Email Confirmation: The identity change didn't trigger an email notification to the account owner. The legitimate user would have no idea their identity documents had been replaced.

3

Immediate Effect: Once the new documents were submitted, the account was immediately updated. There was no cooling-off period, no manual review queue, and no restriction on withdrawals during the identity change process.

4

Attack Scenario: An attacker compromises a session → changes the KYC to their own identity → platform now considers the attacker the "verified owner" → attacker can change password, disable 2FA, and drain the wallet.

Impact

  • Full account takeover by changing the verified identity
  • Attacker becomes the "legitimate" owner in the platform's eyes
  • Enables password reset, 2FA removal, and fund withdrawal
  • No notification to the real account owner
  • Regulatory compliance risk — KYC integrity is a legal requirement

Timeline

Reported with a clear attack scenario. The team added mandatory 2FA verification and email confirmation for any KYC document changes. They also implemented a 24-hour withdrawal lock after identity changes.

Takeaway

Always check if the most sensitive actions on a platform require step-up authentication (2FA, re-entering password, email confirmation). On financial platforms, the most critical flows are: identity changes, withdrawal address changes, 2FA disable/change, and password reset. If any of these can be done with just a session cookie, that's a finding. Think like an attacker who already has a stolen session — what's the worst they can do?

← Back to Blog