On Two FA Activation Change

Failure to Invalidate Session on Two-Factor Authentication Activation or Change

Overview of the Vulnerability

Failure to invalidate a session after a change in Two-Factor Authentication (2FA) can allow an attacker, who has access to the session cookies, full account access where they can perform actions that the user can. Most users have the expectation that when they reset, change, or activate 2FA, no one else can access their account. When sessions are not invalidated upon 2FA activation or change, the user’s trust is broken. Applications that fail to invalidate sessions when 2FA activated or changed are more susceptible to account takeover by an attacker who has gained a foothold in a legitimate user’s account.

An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password or set their own 2FA on the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions.

Business Impact

This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure.

Steps to Reproduce

1. Sign into a user’s account (Browser A)

2. Sign into the same user’s account, using a different browser (Browser B)

3. Using Browser A, set up 2FA for the account

4. Using Browser B, perform an authenticated action, such as changing the profile name

5. Observe that the authenticated action is successful and that the user session is still valid

Proof of Concept (PoC)

The screenshots below show 2FA being set and the application failing to invalidate the session:

{{screenshot}}

Recommendation(s)

At a minimum, all non-current user sessions should be invalidated when the user sets up or changes their 2FA. However, it is best practice to invalidate all sessions upon 2FA activation or change and have the user login to their account again and prompt for the newly created 2FA mechanism.

Short session expiration should be considered for all user sessions as they allow an attacker less time to use a valid session ID. Session timeout values should be set based upon business needs which take into consideration the criticality of the application and the data contained within.

For further information, please see Open Web Application Security Project (OWASP):

• https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change

• https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html