SA-CONTRIB-2013-012 - Google Authenticator login - Access Bypass

This module will allow you to add Time-based One-time Password Algorithm (also called “Two Step Authentication” or “Multi-Factor Authentication”) support to user logins.

Users with the permission to use multi-factor authentication need to associate a Google Authenticator token with their acount before they can use the multi-factor authentication for login. If this step is not done or not completed, their accounts can be logged-in to by supplying the username only due to a logic bug in the module’s validation. This means that when an administrator enables the module and grants the permission to use multi-factor authentication all user accounts with that permission can be logged-in to via the username.

CVE identifier(s) issued

• CVE-2013-0258

Versions affected

• All 7.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Google Authenticator login module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Google Authenticator login module for Drupal 7.x, upgrade to Google Authenticator login 7.x-1.3

Also see the Google Authenticator login project page.

Reported by

• Patrick C.

Fixed by

• attiks the module maintainer

Coordinated by

• Heine Deelstra of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team