Project

General

Profile

Actions
Copy link

Bug #13768

open

UpdatePasswordWidget bypasses MFA

Added by Raf Pauwels about 1 month ago. Updated 3 days ago.

Status:
InProgress
Priority:
Normal
Assignee:
Raf Pauwels
Target version:
4.12.1
Start date:
06/05/2025
Due date:
% Done:

0%

Estimated time:

Description

The default implementation of UpdatePasswordWidget strongly authenticates a user as soon as their password is successfully changed. Not only is this discouraged by OWASP, but it bypasses second factor authentication altogether if this is in place.

The default lost password implementation reduces authentication to a single factor (email), even with MFA enabled. We can close this loophole by still requiring the normal login procedure after resetting the password.

Actions
Copy link
 #1

Updated by Raf Pauwels about 1 month ago

  • Status changed from New to InProgress
Actions
Copy link
 #2

Updated by Raf Pauwels about 1 month ago

  • Status changed from InProgress to Review
  • Assignee deleted (Raf Pauwels)
Actions
Copy link
 #3

Updated by Raf Pauwels 30 days ago

  • Status changed from Review to InProgress
  • Assignee set to Raf Pauwels

This should include a redirect to login with a notification asking the user to relogin.

Actions
Copy link
 #4

Updated by Matthias Van Ceulebroeck 3 days ago

  • Target version changed from 4.12.0 to 4.12.1
Actions
Copy link

Also available in: Atom PDF