- Status Closed
-
Assigned To
cbay - Private
Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 30.04.2025
Last edited by cbay - 30.04.2025
Opened by waloodi_109 - 30.04.2025
Last edited by cbay - 30.04.2025
FS#166 - User Can Create Token after Disabling 2fa
Hello Team,
I hope you are doing well. While researching in your domain, I found User can Create Token after Disabling 2fa.
Steps to Reproduce:
1. Login into your account admin.alwaysdata.com
2. Go to Profile Section and enable 2fa for Generate Token.
3. 2fa is Enabled and now you can Generate a Token.
4. After then, Disable 2fa and don't refresh the page and don't logout from your account, you can click on Generate Token Button and if you can see that You can Generate Token after disabling 2fa.
Impact:
User Can Create Multiple token after disabling 2fa, which is the bypass of 2fa also.
Thank You,
Waleed Anwar
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
That's normal: even once you've disabled 2FA on your profile, you're still considered as having been authentificated by 2FA, so you can still create tokens until you've logged out.
Kind regards,
Cyril