Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #27686
Closed
Open
Issue created Mar 29, 2019 by GitLab SecurityBot@gitlab-securitybotReporter

Pre-generation & Static 2FA Authenticator Secret Code can cause risks to accounts

HackerOne report #511260 by rgupt on 2019-03-17, assigned to asaba:

Summary:

This issue was inspired by one of the reports #100509 submitted to HackerOne. They have fixed this issue, however this issue is seen on Gitlab application as well.

Description:

It is observed that the 2FA Authenticator Secret Code generated for an account remains static even when user logs out and logs into the application multiple times.

An attack might play out like this:

  • The attacker is able to abuse a password manager's behavior to obtain the victim's username/password at this point.
  • The attacker logs into Gitlab & silently grabs the 2FA Authenticator Code without enabling the 2FA.
  • Victim logs into their account and then tries to enable 2FA to prevent hacker from accessing the victim's account.
  • However since attacker already has the 2FA secret code, and since the 2FA secret code remains static & does not change, the attacker can silently continue to access the victim's account credentials with the 2FA code the attacker possess.

Steps To Reproduce:

  1. Login to a Gitlab account which does not has 2FA enabled.
  2. Navigate to Settings -> Accounts Page and click on the button to enable 2FA.
  3. The Secret Key for the 2FA Authenticator Code will be displayed. Note this code.
  4. Logout of that session and login again and navigate to Settings -> Accounts Page.
  5. Again click on the button to enable 2FA and check if the same Secret Key for the 2FA Authenticator code is displayed.

In all the cases, the Secret Key for the 2FA Authenticator Code never changes and remains static.

Suggested Fix

It could be mitigated by generating a new 2FA Authenticator Secret Code each time the user tries to enable 2FA (regardless of whether the process was cancelled previously). This is how secure sites like HackerOne & Github performs.

Impact

As a result, if a hacker was able to access the victim's account credential, the hacker can silently get the 2FA Authenticator code without enabling the 2FA Authentication. Next time when victim enables the 2FA, Hacker would still have access to the 2FA Authenticator Code and can continue to login to victim's account.

Assignee
Assign to
Time tracking