Previously created sessions continue being valid after MFA activation [namelessmc.com] in namelessmc/nameless

Valid

Reported on

Aug 6th 2022


Description

  1. Hello Team I found one issue related to your 2FA system on https://namelessmc.com/user/settings/?do=enable_tfa&s=2

Vulnerability Type:

  1. Improper Access Control - Generic

STEP TO REPRODUCE:

  1. 1- access the same account on https://namelessmc.com/ in two devices
  2. 2- on device 'A'go to

https://namelessmc.com/user/settings/?do=enable_tfa&s=2 > complete all steps to change the 2FA system

  • -> Now the 2FA is activated from Phone number/Email
  1. 3- back to device 'B' reload the page
  • -> The session is still active and also I have updated the new email.
  1. 4- For More Details To Check the POC

Proof of Concept:

POC VIDEO

Impact

  1. In this scenario when 2FA is changing the other sessions of the account are not invalidated.
  2. 2FA is required to login. I believe the expected and recommended behavior here is to terminate the other sessions> request a new login> request the 2FA code> so then give the account access again
We are processing your report and will contact the namelessmc/nameless team within 24 hours. 2 months ago
Sam validated this vulnerability 2 months ago
AGNIHACKERS has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
AGNIHACKERS
2 months ago

Researcher


@Sam @maintainer are you happy to assign a CVE? please confirm, then only admin can move further

AGNIHACKERS
2 months ago

Researcher


@admin can you pls assign a CVE for this?

AGNIHACKERS
2 months ago

Researcher


@Sam waiting for bounty . This is High vulnerability.

Jamie Slome
a month ago

Admin


Happy to assign a CVE once we get the go-ahead from the maintainer 👍

AGNIHACKERS
a month ago

Researcher


@maintainer are you happy to assign a CVE ? Please confirm

We have sent a fix follow up to the namelessmc/nameless team. We will try again in 7 days. a month ago
Sam
a month ago

Maintainer


Hi, apologies for the delay.

Yes I am happy to go ahead with assigning a CVE.

Sam confirmed that a fix has been merged on 469beb a month ago
The fix bounty has been dropped
settings.php#L24-L135 has been validated
AGNIHACKERS
a month ago

Researcher


@admin maintainer as given the permission for assigning CVE. So please assign a CVE for this report

Jamie Slome
a month ago

Admin


Sorted 👍

AGNIHACKERS
a month ago

Researcher


@admin waiting for bounty . This is High vulnerability.

Jamie Slome
a month ago

Admin


There is no bounty for this report. You should see the potential bounty for a report when you submit it.

to join this conversation