No notification triggered on sensitive actions like 2FA enable/disable in ikus060/rdiffweb

Valid

Reported on

Sep 29th 2022


Description

2FA enable/disable is a sensitive action . As the application triggers a notification on all sensitive actions like email change/password reset , 2FA is also an important security feature to be notified about

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa 
2) Do all necessary steps to successfully enable 2FA
3) Check the inbox of your registered email
4) You will notice that there is no notification triggered on this security endpoint 

# Impact

In case an attacker is able to disable 2FA in any means , user will remain unaware of this change
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 2 months ago
Patrik Dufresne assigned a CVE to this report 2 months ago
Patrik Dufresne validated this vulnerability 2 months ago
nehalr777 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the ikus060/rdiffweb team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the ikus060/rdiffweb team. We will try again in 10 days. 2 months ago
We have sent a third and final fix follow up to the ikus060/rdiffweb team. This report is now considered stale. 2 months ago
Patrik Dufresne marked this as fixed in 2.5.0a7 with commit c27c46 a month ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has been assigned a CVE
email_mfa.html#L1-L18 has been validated
Patrik Dufresne published this vulnerability 21 days ago
to join this conversation