[Bug 42334] New: Disabling two-factor authentication does not verify OATH token

bugzilla-daemon Wed, 21 Nov 2012 12:10:27 -0800

https://bugzilla.wikimedia.org/show_bug.cgi?id=42334


       Web browser: ---
             Bug #: 42334
           Summary: Disabling two-factor authentication does not verify
                    OATH token
           Product: MediaWiki extensions
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: Unprioritized
         Component: OATHAuth
        AssignedTo: [email protected]
        ReportedBy: [email protected]
                CC: [email protected]
    Classification: Unclassified
   Mobile Platform: ---


When a user wants to disable the two-factor authentication, he/she needs to
supply a valid token to verify the request. However, OATH does not verify the
token value provided by the user – the token is just passed from
SpecialOATH::tryDisableSubmit to OATHUser::disable, probably assuming the
latter verifies it. Which it does not, OATHUser::disable just disables the
two-factor authentication, without paying any attention to the passed token.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 42334] New: Disabling two-factor authentication does not verify OATH token

Reply via email to