Callum MacGregor Posted May 11, 2022 Posted May 11, 2022 Hello One of my members alerted me to a bug by which any user can bypass the 2fa check. To replicate: Sign into a new account that has not yet set up 2fa, when prompted to set it up simply edit the URL so that it only contains https://<domain>/settings rather than the 2fa generated url (https://<domain>/settings/?do=initialMfa&ref=<ref>) By doing this, a user can enter the member control panel and has the ability to change username, password, email etc - completely negating the purpose of 2fa! If needed I have a video demo I can DM to a dev/admin but don't really want to post it publicly. Thanks
Marc Posted May 11, 2022 Posted May 11, 2022 Im not sure here how 2fa is actually being bypassed if they havent set it up. There isnt anything to bypass there
Callum MacGregor Posted May 11, 2022 Author Posted May 11, 2022 (edited) To give you some context, a database leak from my site (from 2016, before I started using Invision), surfaced on the web. Many users do not use password manager and use the same password for all sites they visit. Consequently, a malicious actor could (and has) obtained the leak, grabbed some passwords and logged into to user accounts. Even with 2fa on, they were able to get into the account, change the passwords and email addresses, and hijack control of many user accounts. This, to me, seems like a major security flaw. In my mind, a user shouldn't be able to change such important information when 2fa is on. Until they have verified 2fa and correctly set it up, this area should not even be viewable let alone able to manipulate member info. Edited May 11, 2022 by Callum MacGregor
Marc Posted May 11, 2022 Posted May 11, 2022 If 2FA is not set up on an individual account, what would stop that user from just setting up 2FA, and then changing the password?
Callum MacGregor Posted May 11, 2022 Author Posted May 11, 2022 Yes, ok, I see your point. Even if the member control panel would be inaccessible the attacker could still just set up 2fa and access it thereafter... In that case, can you recommend any security settings in the admincp that would mitigate this? @Marc Stridgen
Marc Posted May 11, 2022 Posted May 11, 2022 There isnt really. If the user has the correct credentials, and the actual member hasn't set up 2FA, they can gain access and set up 2FA. Anything at all you set up around making sure the potential malicious user cant gain access, would also block the legitimate one in this case
Marc Posted May 11, 2022 Posted May 11, 2022 Just to note, if you know passwords have been found out, you should really force all users to update their passwords
Callum MacGregor Posted May 11, 2022 Author Posted May 11, 2022 35 minutes ago, Marc Stridgen said: Just to note, if you know passwords have been found out, you should really force all users to update their passwords I was searching for a way to do this but couldn't find any. Is there an option within admincp?
Solution Nathan Explosion Posted May 11, 2022 Solution Posted May 11, 2022 Callum MacGregor and Marc 2
Callum MacGregor Posted May 11, 2022 Author Posted May 11, 2022 7 minutes ago, Nathan Explosion said: Thanks for this, I have forced a password reset. Also thanks @Marc Stridgen for your assistance. I'll consider this resolved now.
Recommended Posts