- Issue created by @prudloff
This was originally reported as a private security issue, but has been approved for handling the public queue by the Drupal Security Team.
The OTP form is not protected against brute force attacks.
It it possible to send the form multiple times with a new OTP code until the valid code is found.
The code is only valid a few minutes but it could be enough to do a lot of tries if the server is fast enough.
1. Enable the module
2. Browse to /user/1/2fa and enable 2FA for your account
3. Try to login with the login form: it asks for 2FA
4. Try submitting the form multiple times: there is no rate limit
I think the module should limit the number of tries.
Also the code is generated with rand() which is not truly random and not recommended for secure tokens, it should probably use a secure function like random_int().
Active
1.1
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.