Security vulnerabilities in Two Factor Authentication (Updraft) (2)

April 24, 2023

Time-Based-Side-Channel-Attack on backup codes – Two Factor Authentication (Updraft) <= 1.14.5

The plugin uses string comparison operators that don’t mitigate time-based-side-channel-attacks, which could be abused to reverse engeneer information about a user’s emegerncy backup cods.
April 24, 2023

Broken encryption allows 2FA bypass – Two Factor Authentication (Updraft) <= 1.14.5

The Two Factor Authentication plugin by Updraft employs a broken encryption scheme that allows an attacker to permanently bypass all 2FA checks.

Time-Based-Side-Channel-Attack on backup codes – Two Factor Authentication (Updraft) <= 1.14.5