2-Factor authentication code is not checked during password reset
HackerOne report #679673 by droblin
on 2019-08-22, assigned to jmatos_bgtvf
:
2-Factor authentication code is not asked during password reset
When 2-Factor authentication is enabled, it is necessary to check 2FA authentication token before changing user password (Github and Google do this for example).
Steps to reproduce
- Enable 2FA.
- Start password reset process.
- Click the password reset link in received email.
- Link opens a page with password and confirm password fields.
- After providing a new password, password is effectively reset.
Expected:
On step 4) user is challenged with his 2FA token before processing to actually change password.
Impact
With 2FA enabled user's access to account will be locked in case his email is compromised.
Impact
With 2FA enabled user's access to account will be locked in case his email is compromised.