Security vulnerabilities

  • Status Closed
  • Assigned To
    nferrari
  • Private
Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 18.05.2026
Last edited by nferrari - 03.06.2026

FS#338 - 2FA Secret Permanently Exposed in Profile Page HTML After Enrollment

Endpoint: GET /user/

Steps to Reproduce:
1. Enable and complete 2FA enrollment on alwaysdata.com
2. Send GET /user/ with valid session cookie
3. Inspect HTML response body
4. Secret found in:

  1. <input name="secret" value="3KWMB6EAX3YTVDU4J5S32QYFDVIJET7G">
  2. data-url="otpauth://totp/…?secret=3KWMB6EAX3YTVDU4J5S32QYFDVIJET7G"

Expected Behavior:
- Secret should never appear in HTML after enrollment
- Field should be masked or omitted entirely
- otpauth URI should not be rendered post-enrollment

Actual Behavior:
- Full TOTP secret exposed in plaintext HTML - Full otpauth:// URI exposed in data attribute
- Any attacker with temporary session access can steal

the secret permanently

Impact:
- Attacker with brief session access (XSS, session hijack)

can extract secret and generate valid OTPs forever

- Victim has no indication their 2FA was compromised
- 2FA protection completely undermined

Severity: High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Base Score: 8.1 (High)

Thank You,

Waleed Anwar

   img.PNG (65.1 KiB)
Closed by  nferrari
03.06.2026 09:46
Reason for closing:  Fixed
Admin

Hi,

Thank you for your report. Can you please open a ticket to our support team regarding to this report for further follow-up?

Regards,

Oky sir

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing