Jump to content

2FA Security Bypass


Go to solution Solved by Nathan Explosion,

Recommended Posts

Hello

One of my members alerted me to a bug by which any user can bypass the 2fa check. 

To replicate: Sign into a new account that has not yet set up 2fa, when prompted to set it up simply edit the URL so that it only contains https://<domain>/settings rather than the 2fa generated url (https://<domain>/settings/?do=initialMfa&ref=<ref>)

By doing this, a user can enter the member control panel and has the ability to change username, password, email etc - completely negating the purpose of 2fa!

If needed I have a video demo I can DM to a dev/admin but don't really want to post it publicly.

Thanks

Link to comment
Share on other sites

Posted (edited)

To give you some context, a database leak from my site (from 2016, before I started using Invision), surfaced on the web. Many users do not use password manager and use the same password for all sites they visit. Consequently, a malicious actor could (and has) obtained the leak, grabbed some passwords and logged into to user accounts. Even with 2fa on, they were able to get into the account, change the passwords and email addresses, and hijack control of many user accounts. 

This, to me, seems like a major security flaw.

In my mind, a user shouldn't be able to change such important information when 2fa is on. Until they have verified 2fa and correctly set it up, this area should not even be viewable let alone able to manipulate member info.

Edited by Callum MacGregor
Link to comment
Share on other sites

There isnt really. If the user has the correct credentials, and the actual member hasn't set up 2FA, they can gain access and set up 2FA. Anything at all you set up around making sure the potential malicious user cant gain access, would also block the legitimate one in this case

Link to comment
Share on other sites

35 minutes ago, Marc Stridgen said:

Just to note, if you know passwords have been found out, you should really force all users to update their passwords

 

I was searching for a way to do this but couldn't find any. Is there an option within admincp?

Link to comment
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...