The 2FA code verification does not store successfully used one-time passwords, and allows them to be used multiple times.
Steps to reproduce:
Open TorBrowser
Login with username and password in TorBrowser
Login with username and password locally
Observe the login is successful
This is minor because intercepting the 2FA code is not straightforward. The site uses TLS and HSTS which makes performing a MitM difficult (assuming CAs do their job properly). Main threat model here is a (potentially hardware-based) key logger (where we will get username, password and TOTP but not the session cookie). With Auth in its current state it's possible to take over an account by reusing a code that should've been invalidated with this information.
The 2FA code verification does not store successfully used one-time passwords, and allows them to be used multiple times.
Steps to reproduce:
This is minor because intercepting the 2FA code is not straightforward. The site uses TLS and HSTS which makes performing a MitM difficult (assuming CAs do their job properly). Main threat model here is a (potentially hardware-based) key logger (where we will get username, password and TOTP but not the session cookie). With Auth in its current state it's possible to take over an account by reusing a code that should've been invalidated with this information.