Page MenuHomePhabricator
Create Task
Maniphest T131638

horizon accepts the same 2FA token as wikitech
Closed, ResolvedPublic
Actions

Description

How to reproduce

  1. Login at wikitech
  2. Get your 2FA token
  3. Copy the token
  4. Login at horizon
  5. Use the same token

It works in the inversed order too, e.g.:
Login to horizon, and use the same token at wikitech

I don't know, how long this is possible, but it has a big abuse potencial: Steal the 2FA token from a user, login into the other instance, and change his settings.

Related Objects

Event Timeline

Luke081515 created this task.Apr 2 2016, 8:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 2 2016, 8:01 PM
Luke081515 added a project: MediaWiki-extensions-TwoFactorAuthentication.Apr 2 2016, 8:02 PM
Luke081515 added subscribers: Krenair, csteipp.
Krenair removed a project: MediaWiki-extensions-TwoFactorAuthentication.Apr 2 2016, 8:02 PM
Krenair closed this task as Invalid.Apr 2 2016, 8:07 PM

It's supposed to do this, it was discussed in T105690 (which can probably be made public now)

csteipp reopened this task as Open.Apr 4 2016, 4:13 PM

I think what @Luke08151 may be saying is that mediawiki prevents the replay of OATH tokens, but if you replay the OATH token in horizon, then it works fine.

We could have horizon also check the same system for replayed tokens that mediawiki uses, but then horizon needs access to mediawiki's cache.

csteipp triaged this task as High priority.Apr 5 2016, 9:10 PM
Platonides subscribed.Apr 24 2016, 9:59 PM
csteipp renamed this task from horizon accepts the same 2FA token aus wikitech to horizon accepts the same 2FA token as wikitech.May 10 2016, 10:13 PM
csteipp added a project: Cloud-VPS.
Restricted Application added a project: Cloud-Services. · View Herald TranscriptMay 10 2016, 10:13 PM
Bawolff moved this task from Backlog / Other to Operational issues on the acl*security board.Jul 10 2016, 5:09 PM
Andrew closed this task as Resolved.Apr 21 2017, 7:48 PM
Andrew claimed this task.
Andrew subscribed.

I think this is fixed -- Horizon now uses the mediawiki 2fa plugin for verification, same as wikitech.

bd808 subscribed.Apr 21 2017, 8:35 PM

The MediaWiki code used for this was developed in T144712: Check for 2FA protection and enforce validation of 2FA tokens to support 2FA in Striker. Tokens are now validated by MediaWiki's OATH extension directly using a privileged API endpoint which also maintains a single cache of consumed tokens to prevent replay attacks.

bd808 changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 21 2017, 8:36 PM
chasemp edited projects, added Security; removed Cloud-VPS.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits