Clicking any link while on 2FA-Input in Customer-Account will just let you in

magento-hackathon / Magento-Two-factor-Authentication

Should be time-based or counter-based (HOTP/TOTP), and support the Google Authenticator mobile app.

https://github.com/orgs/magento-hackathon

MIT License

76 stars 32 forks source link

Clicking any link while on 2FA-Input in Customer-Account will just let you in #17

Open tobihille opened 9 years ago

tobihille commented 9 years ago

Serios security issue!

Way to reproduce:

Login
Click on "Back" or "Account > My Account"
You're in now

avoelkl commented 9 years ago

The two factor authentication for customers is not production ready yet, there's some more to do. Thanks for pointing that out.

tobihille commented 9 years ago

I think i fixed it, but it's very experimental, please test extensively before merging. Just hacked it on a (hopefully) bright moment between MM15DE and aftershow party. Branch: https://github.com/magento-hackathon/Magento-Two-factor-Authentication/tree/TFA_Customer

avoelkl commented 9 years ago

Hi Tobi,

I tried your fix and merged it with the latest changes, but it did not work. I pushed it to the TFA_Customer branch if you want to have a look at it again.

lg Anna

tobihille commented 9 years ago

Hi,

tanks for the info. Will have a look again later. Currently I'm working on a Test-Framework based on Xtest, this task is taking all my free time atm ;-)

Tobi