2 FA bypass in ikus060/rdiffweb
Oct 3rd 2022
An attacker is able to bypass 2FA due to a logic flaw on the application
Proof of Concept
1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/general
2) Your account is set to firstname.lastname@example.org as primary email
3) Go to https://rdiffweb-dev.ikus-soft.com/prefs/mfa and click on "Enable 2FA"
4) A confirmation code will be sent to your email
5) Lets say the company admin has changed the email associated with the account. Session will still persist as session does not expire on email change .Now lets go back to https://rdiffweb-dev.ikus-soft.com/prefs/general and change the email
6) Previous session still persists. Use the token in step 4 and enable 2FA
7) 2FA is successfully enabled .
Due to lack of code and email integration , old confirmation codes still remain valid on email change , hence allows attacker the misuse this to cause a 2FA bypass