Open andynz2017 opened 5 years ago
Thanks for this detailed report Andy. I’m limited by the interface provided by Roundcube - it’s not very well suited for 2FA. At first glance, this seems to be related to the fail() method. I’ll see what I can do.
@northox maybe it is worth the while upstreaming a patch that loosens this limitation, if appropriate?
Summary:
Recommended Improvement for Review: The response when 2FA is enabled & Legitimate Credentials are provided should be "Logon Failed". Therefore, not confirming to an attacker that the original credentials used were correct. In addition, the second factor/token validation should occur before attempting to validate the user credentials. This would be a brute force mitigation attack against the initial factor. I'm wondering if a better approach would be to:
Tests carried out:
Test 1:
Test 2:
Test 3:
Test 4:
Test 5:
Thoughts appreciated. I'm not really a developer but thought that the failure message was a little odd. Believe this is an issue worthy of raising/discussion.
Cheers, A