Previously created sessions remain active after activating 2FA
HackerOne report #676772 by xanbanx
on 2019-08-19, assigned to jmatos_bgtvf
:
Summary
I found a security problem related to your 2FA implementation. GitLab does not purge user sessions when 2FA gets activated. Instead, they are kept alive without 2FA ever was needed for them.
Steps to reproduce
- Create 2 session on two devices now named session A and B
- On session A, go to the user settings and activate 2FA
- On session B, reload the page. Session B is still active although it was not logged in with 2FA and can use GitLab normally.
Impact
Sessions without 2FA are kept alive when 2FA gets activated. So these sessions are still usable although 2FA was activated.
Examples
This happens on gitlab.com
What is the current bug behavior?
Older sessions are kept active when 2FA gets activated.
What is the expected correct behavior?
When 2FA gets activated, all older sessions should be purged forcing them to re-login with 2FA.
Impact
See above.