Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 30.04.2025
Last edited by cbay - 30.04.2025

FS#166 - User Can Create Token after Disabling 2fa

Hello Team,

I hope you are doing well. While researching in your domain, I found User can Create Token after Disabling 2fa.

Steps to Reproduce:

1. Login into your account admin.alwaysdata.com
2. Go to Profile Section and enable 2fa for Generate Token.
3. 2fa is Enabled and now you can Generate a Token.
4. After then, Disable 2fa and don't refresh the page and don't logout from your account, you can click on Generate Token Button and if you can see that You can Generate Token after disabling 2fa.

Impact:

User Can Create Multiple token after disabling 2fa, which is the bypass of 2fa also.

Thank You,

Waleed Anwar

Closed by  cbay
30.04.2025 15:39
Reason for closing:  Invalid
Admin
cbay commented on 30.04.2025 15:39

Hello,

That's normal: even once you've disabled 2FA on your profile, you're still considered as having been authentificated by 2FA, so you can still create tokens until you've logged out.

Kind regards,
Cyril

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing