[security:low] 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret
Concerned version
Version: 2.0.11
Summary
- Configure "Use 2FA for session upgrade"
- Configure TOTP with "Display existing secret" enabled
- Steal a user's password and login with it
- Go to 2FA manager, click TOTP
- Scan the user's existing TOTP to your own device, and profit. on backends
Possible fixes
Either
- Remove the ability to display existing 2FA secrets Or
- Protect existing secret from being displayed when current authentication level is too low
Depending on #2541 (closed)
Edited by Clément OUDOT