Skip to content

P4: Weak 2FA Implementation > On Password-Change #509

Description

@binbashsu-bugcrowd

When a user has configured 2FA on their account, any password-resets should still prompt for the configured 2FA device for its code to be entered. When a system/application doesn't, we would consider this as a weak 2FA implementation.

Pre-requisites: A Malicious Actor has access to the Victims OTP on password-reset.

Given the high impact if abused but high attacker-complexity, this would be rated at P4.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions