Short Description
Incomplete unregistration of 2FA push notification service after reset
Reporting Date
- August 2023
Details
When using the RESET ALL DATA
function in the 2FA authenticator app, the push notification service (e.g. APN on iOS) was not properly unsubscribed. This resulted in encrypted push notifications continuing to be sent to the previously unregistered device during new user logins (as long as no new 2fa device has been registered).
Impact
Low
References
- Bug Bounty ID: MAYOR-huarache (Public)
- Internal ID: Request-ID 2203
❤ Thanks to
Hassan Jawaid for reporting the described issue.
Short Description
Incomplete unregistration of 2FA push notification service after reset
Reporting Date
Details
When using the
RESET ALL DATA
function in the 2FA authenticator app, the push notification service (e.g. APN on iOS) was not properly unsubscribed. This resulted in encrypted push notifications continuing to be sent to the previously unregistered device during new user logins (as long as no new 2fa device has been registered).Impact
Low
References
❤ Thanks to
Hassan Jawaid for reporting the described issue.