Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OTP Activation Enables Full Account Takeover #1659

Open
NH-Limon opened this issue Feb 3, 2025 · 1 comment
Open

OTP Activation Enables Full Account Takeover #1659

NH-Limon opened this issue Feb 3, 2025 · 1 comment

Comments

@NH-Limon
Copy link

NH-Limon commented Feb 3, 2025

Describe the bug
An attacker can create a Runbox account using the victim’s email. Even without email verification, the attacker can log in and enable OTP, locking the victim out permanently.

To Reproduce
Steps to reproduce the behavior:

  1. Create a runbox account using the victim's email
  2. A verification mail will be sent to victim's email
  3. Victim won't notice that and thus don't verify the mail.
  4. As an attacker, go to login page and try to login with the username and password of the account you created a while ago
  5. You will see that login is successful
  6. Now go to account security and generate and enable OTP from there
  7. Victim's account takeover successful. Victim won't be able to access his account any more

Expected behavior
Login shouldn't be possible without email verification. Also OTP generation or enable shouldn't be possible without email verification of a user

Severity
High (P1)

** PoC Video Link **
https://drive.google.com/file/d/11o0yaLyOH93v3Kx7Fe26freSPzHOpCXM/view?usp=sharing
@NH-Limon
Copy link
Author

NH-Limon commented Feb 7, 2025

Do you have any updates, please?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@NH-Limon