Secret 2FA key stored in cleartext in database

[iMelsom]

When generating the QRcode for the Twofactor app the secret key for manually entering is stored in clear text. This means that anyone getting access to the database may add any users with two factor active to their two factor app.

This may in root be a userspice / plugin hook issue, but it still is a weakness

[bangingheads]

The "manually entered key" is used to verify your key on the server side so it has to be stored in that sense.

Basically with this implementation if you have database access you are able to disable 2FA/change the key, which is a separate issue of its own.

Are we more worried about a vulnerability that could dump the users db in which it would be displayed in plain text?

We could do a file based generated encryption key.

[iMelsom]

The weakness lies in that the key is stored un encrypted in the database. Simply adding encryption routines to the addons to store the key in an encrypted version , so that a database breach do not reveal the keys for all users