Skip to content

Previously created sessions remain active after activating 2FA

HackerOne report #676772 by xanbanx on 2019-08-19, assigned to jmatos_bgtvf:

Summary

I found a security problem related to your 2FA implementation. GitLab does not purge user sessions when 2FA gets activated. Instead, they are kept alive without 2FA ever was needed for them.

Steps to reproduce

  1. Create 2 session on two devices now named session A and B
  2. On session A, go to the user settings and activate 2FA
  3. On session B, reload the page. Session B is still active although it was not logged in with 2FA and can use GitLab normally.

Impact

Sessions without 2FA are kept alive when 2FA gets activated. So these sessions are still usable although 2FA was activated.

Examples

This happens on gitlab.com

What is the current bug behavior?

Older sessions are kept active when 2FA gets activated.

What is the expected correct behavior?

When 2FA gets activated, all older sessions should be purged forcing them to re-login with 2FA.

Impact

See above.