Legal Robot: 2FA user enumeration via login

ID H1:249467
Type hackerone
Reporter goodhackonly
Modified 2017-08-08T03:06:25


While going live with additional 2FA options, a security researcher discovered that during login, users that had enabled 2FA were prompted for a second factor, even with an incorrect password (i.e. LR correctly rejected the login attempt without a second factor, but rejected all attempts for that user regardless of what password was used). This could have allowed enumeration of users that had enabled 2FA. To some degree, 2FA enumeration was mitigated by existing rate-limiting. This was resolved by the fix for #249431, which had the same root cause.