CVSS v3.x: 5.3 (Medium)
- >= 2.0.0
A OTP replay vulnerability in devise-two-factor 1.1.0 and earlier allows local attackers to shoulder-surf a user’s TOTP verification code and use it to login after the user has authenticated.
By not "burning" a previously used TOTP, devise-two-factor allows a narrow window of opportunity (aka the timestep period) where an attacker can re-use a verification code.
Should an attacker possess a given user’s authentication credentials, this flaw effectively defeats two-factor authentication for the duration of the timestep.