A 2FA bypass would mean you can completely bypass the TFA protections. His attack doesn't allow that - you still need to steal the OTP somehow. It's only notable in situations where you can steal OTPs but for some reason only after they have been used. That does not seem like a likely scenario so I'd say it is low priority.
Still, it's definitely an embarrassing flaw and probably trivial to fix so taking over a year to fix it is not great.
* It was initially closed as "not applicable". I had to insist that it was a vulnerability.
* It was originally scheduled to be fixed within about 90 days, which was reasonable, but they kept delaying it more and more.
* They took 4 months to notify me that they've fixed it. That's 21 months in total from opening to closing it.
* They miscategorised the severity as low, when the exact same vulnerability was medium. It's quite feasible for a determined attacker to set up a camera to record a monitor, and it doesn't require any special exploit code or tools. Exploiting it gives you access to the "crown jewels".
* They didn't open a CVE. Probably didn't issue a security bulletin to their customers, but I didn't check.
* They don't commit to fixing security issues in a timely manner.
* They didn't make the effort to fix the issue themselves, it was incidentally fixed when eventually they updated an dependency which was unmaintained for years.
* The fix was as simple as pointing to a patched fork of the dependency (there was an unmerged PR), not something that requires more than a year to fix.
People like you are why companies hate bug bounty programs. Complaining about a bug marked low severity when your stated attack vector requires installing a physical camera
Are you saying that a valid TOTP code can be reused within its validity period? What’s the proposed threat model here (how is an adversary using this to inflict harm)?
Given the engineering effort of tracking used tokens and the relatively low exploitability it seems odd to generalize to the entire organization based on this.
> Are you saying that a valid TOTP code can be reused within its validity period? What’s the proposed threat model here (how is an adversary using this to inflict harm)?
Allowing re-use violates the RFC:
Note that a prover may send the same OTP inside a given time-step
window multiple times to a verifier. The verifier MUST NOT accept
the second attempt of the OTP after the successful validation has
been issued for the first OTP, which ensures one-time only use of an
OTP.
Theoretically it means that if someone has your password and has MITM'd you or has a keylogger on you, they can log in as you in the 30 second window.
That said, someone with the level of access required to exploit this vulnerability isn't going to be stopped because GitLab patches it. There are plenty of other things they could do with that kind of access.
This is why threat vector analysis is so important, because in your case, there is no additional vector. If someone has MITM'd you, they can just intercept your token before they pass it to Gitlab.
And to your other point, you're right, if your adversary already has a keylogger running on your device you're pretty much screwed in any case.
Valid TOTPs should still only work once when implemented well.
And yes it's not easy to exploit. The idea is something like a malware could sit and intercept a successful login then initiate its own session by re-using the MFA code before it expires.
They didn't even bother creating a CVE for it.
It doesn't seem like they take security very seriously.