Attacker is able to bypass 2FA verification during 2FA disable due to application logic flaw in ikus060/rdiffweb
Reported on
Sep 29th 2022
Description
An attacker is able to bypass 2FA verification during 2FA disable function of user and restrict user from accessing his account due to a application logic flaw
Proof of Concept
First of all let us consider a scenario where a user has left his account open on a public device (library or cafe) and attacker gets access to that device
1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa , click on disable 2FA . Sadly , the verification code is sent on the users email and you cant get access to it
2) Lets dive into an application logic flaw.
3) Attacker will go to https://rdiffweb-dev.ikus-soft.com/prefs/general change email from user email to attacker email and save changes
4) He will go back to https://rdiffweb-dev.ikus-soft.com/prefs/mfa and now click on disable 2FA again .
5) As the email associated with the account is attackers email , he will receive the verification link
6) He can go ahead and disable 2FA now.
POC:
https://drive.google.com/file/d/1iA_JSlhwCLt54IIpRHx2Ey9yt1Sltchq/view?usp=sharing
# Impact
Attacker is able to disable users 2FA , allowing the reduce component security implemented by user
Would say it's a duplicate of this one: No password confirmation on sensitive action like email change
Basically, the vulnerability in this report is letting the attacker change the email without password verification.
At least, the user get notify of the email address being changed.
Let us put a good fix forward: This can be fixed by implementing password for 2FA feature as well , where it needs both the confirmation code and password as well to disable 2FA.
This way even though attacker has changed the email associated with the account, he won't be able to tamper the 2FA related security implementation
@maintainer hello sir , what is your opinion on this issue?
@nehalr777 Than change the vulnerability type for "CWE-306: Missing Authentication for Critical Function"
@admin , could you please change vulnerablity type to "CWE-306: Missing Authentication for Critical Function" ?