Short Description
After removing Two-Factor Authentication (2FA), user sessions on other devices or browsers are not expiring
Reporting Date
- September 2023
Details
If a 2FA is removed from a user, his issued tokens are not revoked and remain valid.
Therefore, a compromised token remains valid even after a change of the 2FA and can still be used to access the system.
Impact
Medium
References
- Bug Bounty ID: dustbin-DIARIST (Public)
- Internal ID: SEC-844
❤ Thanks to
Hassan Jawaid for reporting the described issue.
Short Description
After removing Two-Factor Authentication (2FA), user sessions on other devices or browsers are not expiring
Reporting Date
Details
If a 2FA is removed from a user, his issued tokens are not revoked and remain valid.
Therefore, a compromised token remains valid even after a change of the 2FA and can still be used to access the system.
Impact
Medium
References
❤ Thanks to
Hassan Jawaid for reporting the described issue.