search

topcoder-platform / TCO21-Regionals-QA-Competition

2 stars 0 forks source link

Application allows invalid MFA code unlimited number of times, may lead to brute force on compromised accounts #125

Open rprakash20 opened 3 years ago

rprakash20 commented 3 years ago

Assumptions

User has valid credentials to login and has setup 2- Step Verification on the account

Steps to Reproduce

  1. Open app in browser
  2. Click on Sign in
  3. Fill in your email Id and password
  4. Now app will show 2-Step Verification page
  5. Try to enter invalid codes multiple times
  6. Notice the behavior

Target URL

https://www.newegg.com/ https://secure.newegg.com/

Screenshots or Screen Capture

https://user-images.githubusercontent.com/5712602/128213435-031a4a0f-c470-46f0-8ad2-55c8b1c50736.mov

Current Results

Application allows invalid MFA code unlimited number of times, may lead to brute force on compromised accounts

Expected Results

Application should limit the number of attempts with invalid MFA code and if user has made that many number of invalid attempts, User must be notified on the email for multiple MFA failures.

Browser version and OS version

codejamtc commented 3 years ago

Submitter: 10 Points