RubySec

Providing security resources for the Ruby community

CVE-2015-7225 (devise-two-factor): devise-two-factor 1.1.0 and earlier vulnerable to replay attacks

ADVISORIES

GEM

devise-two-factor

SEVERITY

CVSS v3: 5.3 (Medium)

PATCHED VERSIONS

  • >= 2.0.0

DESCRIPTION

A OTP replay vulnerability in devise-two-factor 1.1.0 and earlier allows local attackers to shoulder-surf a user’s TOTP verification code and use it to login after the user has authenticated.

By not “burning” a previously used TOTP, devise-two-factor allows a narrow window of opportunity (aka the timestep period) where an attacker can re-use a verification code.

Should an attacker possess a given user’s authentication credentials, this flaw effectively defeats two-factor authentication for the duration of the timestep.