Pre-generation & Static 2FA Authenticator Secret Code can cause risks to accounts
HackerOne report #511260 by rgupt
on 2019-03-17, assigned to asaba
:
Summary:
This issue was inspired by one of the reports #100509 submitted to HackerOne. They have fixed this issue, however this issue is seen on Gitlab application as well.
Description:
It is observed that the 2FA Authenticator Secret Code generated for an account remains static even when user logs out and logs into the application multiple times.
An attack might play out like this:
- The attacker is able to abuse a password manager's behavior to obtain the victim's username/password at this point.
- The attacker logs into Gitlab & silently grabs the 2FA Authenticator Code without enabling the 2FA.
- Victim logs into their account and then tries to enable 2FA to prevent hacker from accessing the victim's account.
- However since attacker already has the 2FA secret code, and since the 2FA secret code remains static & does not change, the attacker can silently continue to access the victim's account credentials with the 2FA code the attacker possess.
Steps To Reproduce:
- Login to a Gitlab account which does not has 2FA enabled.
- Navigate to Settings -> Accounts Page and click on the button to enable 2FA.
- The Secret Key for the 2FA Authenticator Code will be displayed. Note this code.
- Logout of that session and login again and navigate to Settings -> Accounts Page.
- Again click on the button to enable 2FA and check if the same Secret Key for the 2FA Authenticator code is displayed.
In all the cases, the Secret Key for the 2FA Authenticator Code never changes and remains static.
Suggested Fix
It could be mitigated by generating a new 2FA Authenticator Secret Code each time the user tries to enable 2FA (regardless of whether the process was cancelled previously). This is how secure sites like HackerOne & Github performs.
Impact
As a result, if a hacker was able to access the victim's account credential, the hacker can silently get the 2FA Authenticator code without enabling the 2FA Authentication. Next time when victim enables the 2FA, Hacker would still have access to the 2FA Authenticator Code and can continue to login to victim's account.