FS#204 : Title: Expired TOTP Code Accepted

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by nexxp - 23.08.2025
Last edited by cbay - 25.08.2025

FS#204 - Title: Expired TOTP Code Accepted – Broken 2FA Validation

#Description:
During testing, I found that the TOTP code verification does not properly validate the expiry window. Even after waiting for the OTP to expire (30s), I was still able to use the expired code to perform sensitive actions like updating my profile.

#Impact:

Replay attack possible using previously used OTPs.

Weakens 2FA mechanism.

May allow attackers to bypass intended security checks.

#Steps to Reproduce:

Enable 2FA on account.

Generate OTP via authenticator app.

Wait for 30 seconds until OTP expires.

Submit the expired OTP.

Server still processes the action (profile updated).

#Expected Behavior:
The expired OTP should be rejected.

#Actual Behavior:
Expired OTP is accepted.

bandicam 2025-08-23 12-16-40-... (30.49 MiB)

Closed by cbay
25.08.2025 09:15
Reason for closing: Invalid

Comments (1)
Related Tasks (0/0)

cbay commented on 25.08.2025 09:15

Hello,

We do accept OTP that are slightly expired to accommodate for network or human latency, as suggested in https://datatracker.ietf.org/doc/html/rfc6238#section-5.2.

Kind regards,
Cyril

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task