Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

2FA Secret recovery and refresh

See original GitHub issue

Hi team

There have been a few issues related to 2FA, where the secret can be retrieved for the 2FA that is already configured. In a practical scenario, this means that the attacker can retrieve the QR code which was used by the victim to set up 2FA. There’s a few distinct cases to consider: a) Attacker can retrieve 2FA secret before login and bypass 2FA -> covered by P3 entry b) Attacker can retrieve 2FA secret after successful login -> i suggest a P4 entry. See reasons below c) 2FA secret is not refreshed after disable/enable of 2FA -> i suggest a P4 entry for the same reasons below.

I think cases b and c should be fixed for various reasons. If an attacker has hijacked a valid session, it means they can recover the 2FA secret and hold on to it without the victims’s notice. And this goes along with c, where if the victim notices this and tries to disable the attacker’s access to their 2FA, it is not possible if the secret is not refreshed after disable/enable or some other means. I recognise that the needed valid session is a high prerequisite, but considering these as won't fix seems to neglect low impact issues.

Let me know what you guys think.

Issue Analytics

State:
Created 5 years ago
Reactions:2
Comments:11 (4 by maintainers)

Top GitHub Comments

2reactions

jquinardcommented, Jan 18, 2019

Other possible options that come to mind for 2FA Secret Cannot be Regenerated.

P4 - Insufficient Security Configurability->Weak 2FA Implementation->2FA Secret Cannot be Rotated P4 - Insufficient Security Configurability->Weak 2FA Implementation->2FA Secret persistent across configuration changes

1reaction

plr0mancommented, Jan 3, 2019

We had a chance to circle back to this topic and get some opinions from the broader team. While chaining vulnerabilities is a topic separate from the VRT severity rating baselines, the majority of the team agrees that the concept of 2FA alone requires a higher level of protections regardless of account takeover being a prerequisite. We decided to address issues described here as P4.

Thank you everyone for your feedback! Next step is to work on the actual classification.

Top Results From Across the Web

What to do if you lose your phone with an authenticator app

Open your account settings and reset the authenticator — that is, link it to the app on the new phone.

Restoring 2-step verification from a secret seed - Coinbase Help

If you've lost your authentication device and do not have access to the secret seed, please refer to this page for recovery steps....

Update 2FA authentication secret and code - cPanel API 2

This function sets the secret and the authentication code for Two-Factor Authentication (2FA) for the root or reseller account. You can generate a...

How to Restore Google Authenticator from Backup - YouTube

enter one of your 8 digit backup codes · enter one of your 8 digit backup codes · enter one of your 8...

Two-factor authentication - GitLab Docs

In the Register Two-Factor Authenticator pane, enter your current password and select Regenerate recovery codes. If you regenerate 2FA recovery codes, save them ......