Vulnerability Detail Report
Vulnerability Overview
- ZDID: ZD-2020-00907
- 發信 Vendor: 泓科科技有限公司
- Title: [Bounty] 泓科科技有限公司Session invalidation error after 2FA activation/reset
- Introduction: Session is not invalidating after 2FA activation or reset
處理狀態
目前狀態
-
新提交
-
已審核
-
已通報
-
已修補
-
未複測
-
公開
處理歷程
- 2020/10/24 22:44:13 : 新提交 (由 Prasanthpro 更新此狀態)
- 2020/11/15 23:54:06 : 內部作業 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2020/11/17 00:14:26 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2020/11/17 10:14:39 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2020/11/17 10:14:39 : 審核完成 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2020/11/17 10:14:39 : 修補中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2020/12/24 03:00:01 : 公開 (由 HITCON ZeroDay 平台自動更新)
- 2020/12/30 17:57:41 : 已修補 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2021/01/07 03:00:05 : 公開 (由 HITCON ZeroDay 平台自動更新)
詳細資料
- ZDID:ZD-2020-00907
- 通報者:7010318280 (Prasanthpro)
- 風險:無
- 類型:存取控制缺陷 (Broken Access Control)
參考資料
OWASP Top 10 - 2017 A5 - Broken Access Control
https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control
CWE-284: Improper Access Control
https://cwe.mitre.org/data/definitions/284.html
相關網址
敘述
Hi team,
I found one issue related to your 2FA system on https://www.bitopro.com.
Steps to reproduce:
1 Login the same account on https://www.bitopro.com in two devices (I used Chrome and incognito window)
2 On device 'A' go to https://www.bitopro.com/ns/setting/security complete all steps to activate or reset the 2FA system - Now the 2FA is activated/reset for this account
3 Back to device 'B' reload the page
The session still active :-(
Refer my PoC Video for more detail - https://drive.google.com/file/d/1VDjrMnhmpWCbxUjHJrfTyzkFZjRvHA8A/view?usp=sharing
Impact - In this scenario when 2FA is activated/reset the other sessions of the account are not invalidated.
Mitigation: 2FA is required to login. I believe the expected and recommended behavior here is to terminate the other sessions> request a new login> request the 2FA code> so then give the account access again