alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~300~~	Closed	~~2FA Misconfig:Expired and Previously Used 2FA OTP Can B~~ ...	ARTanvir76	Task Description Summary: The alwaysdata.com implements Time-based One-Time Password (TOTP) authentication using Google Authenticator. However, it is possible to successfully authenticate using a previously used and expired OTP code. This indicates that the system does not properly invalidate used or expired OTPs, significantly weakening the security guarantees of two-factor authentication. Steps to Reproduce 1.Navigate to: https://admin.alwaysdata.com/login/ 2.Log in using valid credentials.(must be turn on 2fa on the account) 3.When prompted for Authenticator 2FA, enter a correct OTP code and complete login successfully. 4.Copy and store the OTP used in step 3. 5.Wait until the OTP expires in Google Authenticator and a new OTP appears. 6.Log out from the account. 7.Attempt to log in again using valid credentials. 8.When prompted for 2FA, enter the previously used and expired OTP code from step 3. 9.Observe: Authentication succeeds even though the OTP is expired and already used. PoC:video attached Expected Behavior An OTP code should be valid only once.Expired OTPs must be rejected.Previously used OTPs must be invalidated immediately after successful authentication. Actual Behavior Expired and previously used OTP codes are still accepted.Login succeeds with replayed OTP values. Impact This vulnerability allows attackers to bypass two-factor authentication by reusing expired and previously used OTP codes, leading to unauthorized account access and potential account takeover. Beyond direct security impact, exploitation of this issue can cause significant reputational damage to the company. Users expect 2FA to provide strong protection; a failure in its implementation may lead users to perceive the platform as insecure, resulting in loss of user trust, reduced confidence in the service, and potential customer churn. Additionally, if exploited at scale, this could expose the company to compliance, legal, and brand credibility risks. Recommended solution Enforce single-use OTP validation by immediately invalidating a TOTP code after successful authentication.Strictly verify OTP expiration time and reject any expired or previously used codes on the server side.Implement replay protection and ensure TOTP validation fully complies with RFC 6238, allowing only minimal clock skew.
	~~299~~	Closed	~~Two-Factor Authentication (2fa) Bypass via Google OAuth~~ ...	ARTanvir76	Task Description Summary: The application allows users to enable TOTP-based Two-Factor Authentication (2FA) for additional account security. However, when a user logs in using Google OAuth, the system completely bypasses the account’s configured TOTP verification. This allows anyone with access to the linked Google account to log in without providing the required TOTP code, effectively defeating the purpose of 2FA on the platform. Steps to Reproduce 1.Create a valid account using Gmail at:https://www.alwaysdata.com/en/register/ 2.link the account with Google OAuth. 3.Enable Two-Factor Authentication (TOTP) in account settings. 4.Log out of the account. 5.Attempt to log in using email + password.Observe that the system correctly prompts for the TOTP code. 6.Log out again. 7.Attempt to log in using Google OAuth. 8.Observe that login is successful without being prompted for TOTP.No 2FA code needed. PoC:video attached. Expected Behavior: TOTP-based 2FA should be enforced for all authentication methods, including OAuth logins. Users should not be able to access the account without successfully completing TOTP verification, regardless of whether they authenticate via password or Google OAuth. Actual Behavior: OAuth login completely bypasses the TOTP verification, allowing immediate access to the account. This effectively nullifies the additional security layer that the user explicitly enabled. Impact If an attacker gets access to the victim’s Google OAuth account they can log in to alwaysdata.com without TOTPT .This bypasses 2FA protection and allows full account takeover.The attacker can access sensitive data and change account settings.2FA security is completely defeated and the account can be fully compromised Recommended Fix Enforce TOTP verification after all authentication methods, including OAuth.Ensure OAuth login completes only the primary authentication step, requiring TOTP before creating a session.Implement centralized authentication middleware to check 2FA status before granting access.

~~300~~

Closed

~~2FA Misconfig:Expired and Previously Used 2FA OTP Can B~~ ...

Task Description

Summary:
The alwaysdata.com implements Time-based One-Time Password (TOTP) authentication using Google Authenticator. However, it is possible to successfully authenticate using a previously used and expired OTP code. This indicates that the system does not properly invalidate used or expired OTPs, significantly weakening the security guarantees of two-factor authentication.

Steps to Reproduce

1.Navigate to: https://admin.alwaysdata.com/login/

2.Log in using valid credentials.(must be turn on 2fa on the account)

3.When prompted for Authenticator 2FA, enter a correct OTP code and complete login successfully.

4.Copy and store the OTP used in step 3.

5.Wait until the OTP expires in Google Authenticator and a new OTP appears.

6.Log out from the account.

7.Attempt to log in again using valid credentials.

8.When prompted for 2FA, enter the previously used and expired OTP code from step 3.

9.Observe: Authentication succeeds even though the OTP is expired and already used.

PoC:video attached

Expected Behavior
An OTP code should be valid only once.Expired OTPs must be rejected.Previously used OTPs must be invalidated immediately after successful authentication.

Actual Behavior
Expired and previously used OTP codes are still accepted.Login succeeds with replayed OTP values.

Impact
This vulnerability allows attackers to bypass two-factor authentication by reusing expired and previously used OTP codes, leading to unauthorized account access and potential account takeover.
Beyond direct security impact, exploitation of this issue can cause significant reputational damage to the company. Users expect 2FA to provide strong protection; a failure in its implementation may lead users to perceive the platform as insecure, resulting in loss of user trust, reduced confidence in the service, and potential customer churn. Additionally, if exploited at scale, this could expose the company to compliance, legal, and brand credibility risks.

Recommended solution
Enforce single-use OTP validation by immediately invalidating a TOTP code after successful authentication.Strictly verify OTP expiration time and reject any expired or previously used codes on the server side.Implement replay protection and ensure TOTP validation fully complies with RFC 6238, allowing only minimal clock skew.

~~299~~

Closed

~~Two-Factor Authentication (2fa) Bypass via Google OAuth~~ ...

ARTanvir76

Task Description

Summary:
The application allows users to enable TOTP-based Two-Factor Authentication (2FA) for additional account security. However, when a user logs in using Google OAuth, the system completely bypasses the account’s configured TOTP verification. This allows anyone with access to the linked Google account to log in without providing the required TOTP code, effectively defeating the purpose of 2FA on the platform.

Steps to Reproduce
1.Create a valid account using Gmail at:https://www.alwaysdata.com/en/register/ 2.link the account with Google OAuth.
3.Enable Two-Factor Authentication (TOTP) in account settings.
4.Log out of the account.
5.Attempt to log in using email + password.Observe that the system correctly prompts for the TOTP code.
6.Log out again.
7.Attempt to log in using Google OAuth.
8.Observe that login is successful without being prompted for TOTP.No 2FA code needed.

PoC:video attached.

Expected Behavior:
TOTP-based 2FA should be enforced for all authentication methods, including OAuth logins. Users should not be able to access the account without successfully completing TOTP verification, regardless of whether they authenticate via password or Google OAuth.

Actual Behavior:
OAuth login completely bypasses the TOTP verification, allowing immediate access to the account. This effectively nullifies the additional security layer that the user explicitly enabled.

Impact
If an attacker gets access to the victim’s Google OAuth account they can log in to alwaysdata.com without TOTPT .This bypasses 2FA protection and allows full account takeover.The attacker can access sensitive data and change account settings.2FA security is completely defeated and the account can be fully compromised

Recommended Fix
Enforce TOTP verification after all authentication methods, including OAuth.Ensure OAuth login completes only the primary authentication step, requiring TOTP before creating a session.Implement centralized authentication middleware to check 2FA status before granting access.

Showing tasks 1 - 2 of 2 Page 1 of 1

All Projects

Available keyboard shortcuts

Tasklist

Task Details

Task Editing