[GH-ISSUE #100] Security issue with 2fa module set #80

New issue

Closed

opened 2026-02-25 21:34:06 +03:00 by kerem · 1 comment

kerem commented 2026-02-25 21:34:06 +03:00

Owner

Copy link

Originally created by @jasonmunro on GitHub (Aug 1, 2016).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/100

The 2 factor authentication module set has a security flaw. It uses the same shared secret for all users of a site - making it possible for another user on the same site to generate the TOTP pin required for login. My plan to fix this is:

• use pbkdf2 to combine the site secret with the username to create a unique TOTP key per user.
• disable 2fa on accounts that have it enabled by changing the setting name, and prompting them to re-add the png barcode of the shared secret and re-enable 2fa, which will update their authentication app.
• build logic around "versioning" of settings (This came up WRT to some other potential security issues, and could be a useful way for modules to maintain backwards compatibility in situations like this).
• build support for 3 2fa emergency codes for case like this (and for other situations like losing your 2fa device).

Originally created by @jasonmunro on GitHub (Aug 1, 2016). Original GitHub issue: https://github.com/cypht-org/cypht/issues/100 The 2 factor authentication module set has a security flaw. It uses the same shared secret for all users of a site - making it possible for another user on the same site to generate the TOTP pin required for login. My plan to fix this is: - use pbkdf2 to combine the site secret with the username to create a unique TOTP key per user. - disable 2fa on accounts that have it enabled by changing the setting name, and prompting them to re-add the png barcode of the shared secret and re-enable 2fa, which will update their authentication app. - build logic around "versioning" of settings (This came up WRT to some other potential security issues, and could be a useful way for modules to maintain backwards compatibility in situations like this). - build support for 3 2fa emergency codes for case like this (and for other situations like losing your 2fa device).

kerem closed this issue 2026-02-25 21:34:06 +03:00

kerem commented 2026-02-25 21:34:06 +03:00

Author

Owner

Copy link

@jasonmunro commented on GitHub (Aug 1, 2016):

all fixes pushed to master

<!-- gh-comment-id:236609628 --> @jasonmunro commented on GitHub (Aug 1, 2016): all fixes pushed to master

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

2.x

mta-sts-implementation

feat-compose-backspace-delete-recipients

release-2.5.1

add-tls3-support

1.4.x

enforce-coverage

release-2.4.2

strip_dns_prefetch_tags

fix_nightly_build

pr-title-validation-update

review-sent-email

revert-1339-fixed-tags-display

revert-1061-rem-cram-md5

sys-messages-revamp

revert-685-fixed-str-pos-warning-when-no-to

revert-590-empty-settings

release-1.3.0

revert-471-draft-add-warning

revert-454-feature/server-list-by-uniqid

php7.4-support

release-1.2.0

remove-mobile-media-queries

release-1.1.0

release-1.0.0

v2.7.0

v2.6.0

v2.5.1

v2.5.0

v1.4.7

v2.4.2

v2.4.1

v1.4.6

v1.4.5

v2.4.0

v2.3.0

v2.2.0

v1.4.4

v2.1.0

v2.0.1

v1.4.3

v2.0.0

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.3.0-rc3

v1.3.0-rc2

v1.3.0-rc1

v1.1.0

v1.1.0-rc4

v1.1.0-rc3

v1.1.0-rc2

v1.1.0-rc1

v1.0.0

v1.0.0-rc8

v1.0.0-rc7

v1.0.0-rc6

v1.0.0-rc5

v1.0.0-rc4

v1.0.0-rc3

v1.0.0-rc2

v1.0.0-rc1

Labels

Clear labels   

2fa

  

I18N

  

PGP

  

Security

  

Security

  

account

  

advanced_search

  

advanced_search

  

announcement

  

api_login

  

authentication

  

awaiting feedback

  

blocker

  

bug

  

bug

  

bug

  

calendar

  

config

  

contacts

  

core

  

core

  

devops

  

docker

  

docs

  

duplicate

  

dynamic_login

  

enhancement

  

epic

  

feature

  

feeds

  

framework

  

github

  

github

  

gmail_contacts

  

good first issue

  

help wanted

  

history

  

history

  

imap

  

imap_folders

  

inline_message

  

installation

  

keyboard_shortcuts

  

keyboard_shortcuts

  

ldap_contacts

  

mobile

  

need-ssh-access

  

new module set

  

nux

  

pop3

  

profiles

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

refactor

  

release

  

research

  

saved_searches

  

smtp

  

strategic

  

tags

  

tests

  

themes

  

website

  

wordpress

No labels

2fa

I18N

PGP

Security

Security

account

advanced_search

advanced_search

announcement

api_login

authentication

awaiting feedback

blocker

bug

bug

bug

calendar

config

contacts

core

core

devops

docker

docs

duplicate

dynamic_login

enhancement

epic

feature

feeds

framework

github

github

gmail_contacts

good first issue

help wanted

history

history

imap

imap_folders

inline_message

installation

keyboard_shortcuts

keyboard_shortcuts

ldap_contacts

mobile

need-ssh-access

new module set

nux

pop3

profiles

pull-request

question

refactor

release

research

saved_searches

smtp

strategic

tags

tests

themes

website

wordpress

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/cypht#80

No description provided.