- Status Closed
-
Assigned To
nferrari - Private
Opened by waloodi_109 - 18.05.2026
Last edited by nferrari - 03.06.2026
FS#338 - 2FA Secret Permanently Exposed in Profile Page HTML After Enrollment
Endpoint: GET /user/
Steps to Reproduce:
1. Enable and complete 2FA enrollment on alwaysdata.com
2. Send GET /user/ with valid session cookie
3. Inspect HTML response body
4. Secret found in:
- <input name="secret" value="3KWMB6EAX3YTVDU4J5S32QYFDVIJET7G">
- data-url="otpauth://totp/…?secret=3KWMB6EAX3YTVDU4J5S32QYFDVIJET7G"
Expected Behavior:
- Secret should never appear in HTML after enrollment
- Field should be masked or omitted entirely
- otpauth URI should not be rendered post-enrollment
Actual Behavior:
- Full TOTP secret exposed in plaintext HTML - Full otpauth:// URI exposed in data attribute
- Any attacker with temporary session access can steal
the secret permanently
Impact:
- Attacker with brief session access (XSS, session hijack)
can extract secret and generate valid OTPs forever
- Victim has no indication their 2FA was compromised
- 2FA protection completely undermined
Severity: High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Base Score: 8.1 (High)
Thank You,
Waleed Anwar
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
img.PNG
Hi,
Thank you for your report. Can you please open a ticket to our support team regarding to this report for further follow-up?
Regards,
Oky sir