this post was submitted on 26 Jul 2023
12 points (92.9% liked)

Lemmy Support

4660 readers
30 users here now

Support / questions about Lemmy.

Matrix Space: #lemmy-space

founded 5 years ago
MODERATORS
 

cross-posted here from https://sh.itjust.works/post/1658215 to get some additional feedback on this.

Hi,

As my regular instance was experiencing downtime, I decided it might be a good idea to have a backup account on a different instance. So I created a new account on feddit.uk, configured 2FA and all was well. Although…

When I later tried to log on using Voyager, it kept returning a connection error. I tried logging on to the instance directly using the browser: no error, but just lands back on the login page.

Seems like the issue was caused because of the password length (originally 65 characters). Resetting my password and bringing it down to 45 characters resolved the issue. However, directly after the password reset, I was logged in, and my 2FA code wasn't asked?!

For a minute I thought it might be due to cached credentials, but retrying the same scenario in a private window confirmed it. This means that if your e-mail account is compromised, 2FA will no longer protect you.

Another possible issue (just to be clear, in this scenario, your e-mail account is not compromised): if someone is able to access your account (maybe you forgot to log out), they can modify your e-mail address without you being notified, nor do they need to know your password. A verification e-mail will be sent to the new address, and they can reset your password using the approach described above. The new e-mail address does not need to be verified to do so (a verification e-mail is sent, but resetting the password works even if you don't verify), and the old e-mail address is not given a heads up of the change (I know, the old address might no longer work, but still).

Not only can your password be reset this way, after gaining entry, 2FA can be disabled without issue.

Am I wrong in thinking the scenarios described above are security issues? Thanks for your feedback!

top 5 comments
sorted by: hot top controversial new old
[–] [email protected] 7 points 1 year ago (1 children)

You are correct, this is one of several security issues with the current 2fa implementation.

I started working on an improved version of 2fa for Lemmy last week. Unfortunately, I've been very busy for the past few days with some other stuff, but I'm hoping to get a PR up this weekend.

[–] yesbutnobutyesbutno 2 points 1 year ago

Thank you, your hard work is very much appreciated!

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

They fixed it ( the 2fa bypass; now resetting password won't log you in) looks like it'l be in 0.18.3 ( not out yet, but its up to release candidate 3, so soon)

[–] themoonisacheese 1 points 1 year ago

It depends on whether or not account security is more important to you than being able to change your email if you lose access to the old one.

In the scenario your email is compromised, it is expected you lose all accounts associated with it. That's just how the modern internet is.

[–] [email protected] 0 points 1 year ago

Hi

This is a known bug already

load more comments
view more: next ›