Hacker News new | past | comments | ask | show | jobs | submit login

Are you saying that a valid TOTP code can be reused within its validity period? What’s the proposed threat model here (how is an adversary using this to inflict harm)?

Given the engineering effort of tracking used tokens and the relatively low exploitability it seems odd to generalize to the entire organization based on this.




There can be several threat models:

* Industrial espionage and state actors - somebody setting up a camera to record the monitor and reusing the token

* Phishing site - the token can be reused, and then redirected to original site. There wouldn't even be an error

* Keylogger

* Somebody logging in while sharing the screen during a Zoom call

* Somebody standing over the shoulder, etc.

Considering this could be prevented with a single if statement, and how important 2FA is in protecting accounts, that's certainly my impression.

The password can be found out through other means, e.g. (password reuse, phishing, keylogger, etc.)

For comparison, the exact same vulnerability was rated as medium severity (5.3/10) - high impact, but difficult to exploit

https://nvd.nist.gov/vuln/detail/CVE-2015-7225


Really? A single if statement is all it would take? More hyperbole from you...

(How do you log used codes, check if a code was previously used, and clean up old used codes in a single if statement?)


It already recorded in the database when the TOTP was last used, but it allowed to reuse the same code during the grace period (30 seconds later).


Allowing authentication not only within the original time frame but one interval before and after is by design: https://en.wikipedia.org/wiki/Time-based_one-time_password#S... .


The security issue is with allowing reuse, and not because of allowing use in the previous and next time frames.


Not OP, but yes really.

Check the last login/session/whatever for that account and if it was within the period of the TOTP that was submitted, force a relog.


> Are you saying that a valid TOTP code can be reused within its validity period? What’s the proposed threat model here (how is an adversary using this to inflict harm)?

Allowing re-use violates the RFC:

   Note that a prover may send the same OTP inside a given time-step
   window multiple times to a verifier.  The verifier MUST NOT accept
   the second attempt of the OTP after the successful validation has
   been issued for the first OTP, which ensures one-time only use of an
   OTP.
* https://datatracker.ietf.org/doc/html/rfc6238#section-5

This is actually the only "MUST NOT" in the entire RFC (besides the definition of the term in §2).


i would think the "OTP" would be the giveaway, but hey, i'm no CTO


Theoretically it means that if someone has your password and has MITM'd you or has a keylogger on you, they can log in as you in the 30 second window.

That said, someone with the level of access required to exploit this vulnerability isn't going to be stopped because GitLab patches it. There are plenty of other things they could do with that kind of access.


This is why threat vector analysis is so important, because in your case, there is no additional vector. If someone has MITM'd you, they can just intercept your token before they pass it to Gitlab.

And to your other point, you're right, if your adversary already has a keylogger running on your device you're pretty much screwed in any case.


It enables phishing where you're actually logged in after submitting your credentials. You don't need a MITM from a network perspective.


Separately, if the attacker has the password and a mitm for the totp code, then this allows them to logg in without being detected.


Valid TOTPs should still only work once when implemented well. And yes it's not easy to exploit. The idea is something like a malware could sit and intercept a successful login then initiate its own session by re-using the MFA code before it expires.


Yeah, but malware in that position can also just steal your session cookie.


Malware can also just steal your session cookie.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: