- Status Closed
- Assigned To No-one
- Private
Opened by monty099 - 02.10.2025
Last edited by nferrari - 03.10.2025
FS#219 - Title: Security Report — 2FA Bypass via OAuth
Summary
When two-factor authentication (2FA) is enabled, signing in via OAuth results in immediate access to the account without being prompted for the 2FA code. This behavior effectively bypasses the account's second authentication factor.
Reproduction steps:
1. Create or use an existing account on the target site (e.g., user@example.com) and enable 2FA (TOTP).
2. Log out of the site and clear session cookies.
3. Click Sign in with Google and complete Google's OAuth flow using the same email address.
4. Observe: Access to the site is granted immediately and no 2FA prompt is shown.
Expected behavior: After successful OAuth, if the account has 2FA enabled, the site should require the configured 2FA method (TOTP / OTP / push) before issuing an authenticated session.
POC: https://admin.alwaysdata.com/support/89687/ —
Impact:
2FA Bypass
—
Technical root causes (likely)
The server does not check the account's mfa_enabled flag after successful OAuth and issues a session immediately.
—
Recommended fix
Enforce MFA server-side after OAuth: After completing the OAuth/SAML flow, check the user's MFA status and require the configured 2FA verification before issuing the session.
03.10.2025 06:59
Reason for closing: Invalid
Additional comments about closing:
Thank you for your report. This behavior
is made "by design", since
authentication is full reported to OAuth
service.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task