Summary
The TOTP authentication flow has multiple issues that weakens its one-time nature.
Details
The issues include:
- OTPs are reusable in their time window
- OTPs tentatives are unlimited, even within the same session
- Security settings such as disabling the OTP and changing the GPG key do not require the OTP
PoC
There is application-wide rate limiting. However it is IP based and not account-based, so not really a protection against OTP bruteforces.
Pretty generous IP-based rate-limiting
|
@limiter.limit("120 per minute") |
totp.verify invoked directly on user input, without checking the number of attempts per-user and without checking for reuse.
|
if totp.verify(verification_code): |
Impact
Authentication is weakened. Specifically, the lack of 2fa authentication for changing security settings allows attacker with CSRF or XSS primitives to change such settings without user interaction, as mentioned the other reports12.
Note that: attack complexity is high as credentials are required.
lsd-cat Reporter
Summary
The TOTP authentication flow has multiple issues that weakens its one-time nature.
Details
The issues include:
PoC
There is application-wide rate limiting. However it is IP based and not account-based, so not really a protection against OTP bruteforces.
Pretty generous IP-based rate-limiting
hushline/hushline/routes.py
Line 300 in c57e77c
totp.verifyinvoked directly on user input, without checking the number of attempts per-user and without checking for reuse.hushline/hushline/routes.py
Line 318 in c57e77c
Impact
Authentication is weakened. Specifically, the lack of 2fa authentication for changing security settings allows attacker with CSRF or XSS primitives to change such settings without user interaction, as mentioned the other reports12.
Note that: attack complexity is high as credentials are required.
Footnotes
GHSA-r85c-95x7-4h7q ↩
GHSA-4v8c-r6h2-fhh3 ↩