Security vulnerabilities in Two Factor Authentication (Updraft) (2)
Time-Based-Side-Channel-Attack on backup codes – Two Factor Authentication (Updraft) <= 1.14.5
The plugin uses string comparison operators that don’t mitigate time-based-side-channel-attacks, which could be abused to reverse engeneer information about a user’s emegerncy backup cods.
Broken encryption allows 2FA bypass – Two Factor Authentication (Updraft) <= 1.14.5
The Two Factor Authentication plugin by Updraft employs a broken encryption scheme that allows an attacker to permanently bypass all 2FA checks.