- Status Closed
- Assigned To No-one
- Private
Opened by monty099 - 21.09.2024
Last edited by nferrari - 23.09.2024
FS#78 - **Title:** Access Control Vulnerability in Two-Factor Authentication Management
Title: Access Control Vulnerability in Two-Factor Authentication Management
Summary: This report highlights a security vulnerability related to user account management and two-factor authentication (2FA) within the system. The issue arises when a user invites another user to manage their account, creating a loophole that allows continued access even after 2FA is disabled.
—
Steps to Reproduce:
1. Account Creation:
- A user creates a new account on[admin.alwaysdata.com].
2. Invite for Account Management:
- The account owner invites another user to manage their account. The system requires that the invited user enables two-factor authentication on their account to gain management privileges.
3. Two-Factor Authentication Activation:
- The invited user successfully activates two-factor authentication.
4. Management Access Granted:
- The invited user can now manage the account of the account owner without restrictions.
5. Disable Two-Factor Authentication:
- The invited user disables two-factor authentication on their account.
6. Continued Management Access:
- Despite the deactivation of 2FA, the invited user retains the ability to manage the account of the account owner. This is contrary to the initial requirement that 2FA must be active for management access.
7. Session Management Issues:
- If the invited user logs out and logs back in, they are prompted to re-enable 2FA to regain management access. However, this inconsistency presents a potential security risk during active sessions, Where the user can keep his session for up to two weeks
—##POC: https://admin.alwaysdata.com/support/81354/
Impact: This vulnerability allows an invited user to maintain management privileges over another user’s account, even after failing to comply with security requirements (2FA). If a malicious element manages to hijack the invited user's session, they can control the account owner’s settings without their consent, leading to potential data breaches
23.09.2024 13:25
Reason for closing: Invalid
Additional comments about closing:
Hi,
Thank you for your report.
Since the profile logged in with 2FA, the condition is still valid until signing out.
Report is rejected.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hi,
Thank you for your response. I would like to clarify that the issue lies in the ability to maintain management access even after disabling two-factor authentication, which poses a security risk if a session is compromised.
Therefore, I suggest considering the following:
1. Session Security Verification: Ensure that all users with management privileges are required to have active two-factor authentication at all times.
2. Re-authentication Requirement: Implement a policy to require re-authentication whenever the status of two-factor authentication is changed, to ensure access is not retained without security verification.
0