No notification triggered on sensitive actions like 2FA enable/disable in ikus060/rdiffweb
Valid
Reported on
Sep 29th 2022
Description
2FA enable/disable is a sensitive action . As the application triggers a notification on all sensitive actions like email change/password reset , 2FA is also an important security feature to be notified about
Proof of Concept
1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa
2) Do all necessary steps to successfully enable 2FA
3) Check the inbox of your registered email
4) You will notice that there is no notification triggered on this security endpoint
# Impact
In case an attacker is able to disable 2FA in any means , user will remain unaware of this change
Occurrences
We are processing your report and will contact the
ikus060/rdiffweb
team within 24 hours.
7 months ago
The researcher's credibility has increased: +7
We have sent a
fix follow up to the
ikus060/rdiffweb
team.
We will try again in 7 days.
7 months ago
We have sent a
second
fix follow up to the
ikus060/rdiffweb
team.
We will try again in 10 days.
7 months ago
We have sent a
third and final
fix follow up to the
ikus060/rdiffweb
team.
This report is now considered stale.
7 months ago
email_mfa.html#L1-L18
has been validated
to join this conversation