Skip to content

VRT Category Suggestion - Account 2FA not required on OAuth (P5) #500

Description

@binbashsu-bugcrowd

Issue:

  • A user signs up for an application account with email and password. They enable 2FA on said account.
  • The user logs out and logs back in and they are correctly challenged for their 2FA code.
  • The same user then links their OAuth account to their application account.
  • The user logs into their account via their OAuth account and the application does not challenge for the previously enabled 2FA implementation using username/password.

VRT Category Suggestion:

P5: Insufficient Security Configurability -> Weak 2FA Implementation -> 2FA Not Required on OAuth Authentication

Justification:

It would be considered as best practise rather than an exploitable vulnerability that if a user has previously set up 2FA on a username/password authentication mechanism, and then links an OAuth account of which when authenticating using the OAuth account does not challenge for the previous 2FA implementation. This is due to the authentication process being handled within the OAuth implementation and would require prior compromise of a victims OAuth account.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions