When a user wants to disable the two-factor authentication, he/she needs to supply a valid token to verify the request. However, OATH does not verify the token value provided by the user – the token is just passed from SpecialOATH::tryDisableSubmit to OATHUser::disable, probably assuming the latter verifies it. Which it does not, OATHUser::disable just disables the two-factor authentication, without paying any attention to the passed token.
Version: unspecified
Severity: major