Page MenuHomePhabricator

Disabling two-factor authentication does not verify OATH token
Closed, ResolvedPublic


When a user wants to disable the two-factor authentication, he/she needs to supply a valid token to verify the request. However, OATH does not verify the token value provided by the user – the token is just passed from SpecialOATH::tryDisableSubmit to OATHUser::disable, probably assuming the latter verifies it. Which it does not, OATHUser::disable just disables the two-factor authentication, without paying any attention to the passed token.

Version: unspecified
Severity: major



Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 12:51 AM
bzimport set Reference to bz42334.

Patch committed to Gerrit as If5f6bc33.

Thanks for the bug report and fix. It's merged in!