We logged in using the wiener user and we used our 2FA code that we got from the email client to login:
We were then able to access the /my-account directory as the user wiener :
We were able to see that in the url, we could change the id parameter to any user, but we failed to do it to the user carlos as he is not logged in :
https://0a2c000d03fb63e18181931d004500e7.web-security-academy.net/my-account?id=carlos
We Logged in as the user carlos and when the webpage asked us for the 2FA code, we just entered the above url and we could access his /my-account by simply bypassing the 2FA page and solve the lab :
