-
-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dataleak #429
Comments
Clearing the 2fauth cache didn't solve the issue either. |
Hi, Does this happen specifically when multiple users use the same shared device ? Or does each user have their own device? Thx |
No shared devices. I don't know what the autolock feature is, sorry. /Sorry for short, on mobile atm :) |
The user with userID 25, gets the codes from user35. I don't know if that helps - there might be other mishabs, that i just haven't heard from yet, they only need 2fa once per week (which will make my next monday i living hell :) ) |
Every user uses SSO? Is SSO Only enabled in the admin panel? When did the problem start? Right after an update or a specific event? |
no, the admin-user can still select non-sso login. User 25 gets the passcodes from user35 that was just created. |
Sorry, "enable SSO" and "SSO Only" is enabled. Signup is disabled, except for SSO logins |
I updated to the last version after discovering the problem, came from 5.4.0. |
Can i access the database somehow? |
I guess this is what you see when you visit the UI. Does the database reflect this? In other words, do the records in the |
I guess that answers my last question, is there an internal browser in the web-app or should I acquire postgres skills to check this out? |
No in-app browser. |
Portainer (docker compose) |
It must be a 'reading' or 'copying' issue, one user seems to have gotten a copy of another users codes. |
The 2FAuth image uses sqlite by default. You previously mentioned postgres so I guess you have a postgres instance that is bound to the 2FAuth container. You don't have any UI to access your postgres data?! |
yes, i have the psql prompt - I can probably get there pretty quick (a few hours) Should i try to get it to return all the rows? |
If encryption is enabled in the admin panel yes, indeed. But the |
i've gotten this far.... Schema | Name | Type | Owner |
Can i disable encryption without losing data? |
All the users only have one 2fa-account, the number of rows might not be that much of an indicator in my setup. |
Encryption is not enabled, yay :) |
I'll fiddle around with installing some postgres-web-admin-thingie later tonight, my head is already spinning from the PSQL commandline. |
I installed dbeaver and have connected to the database... im still lost, sorry. |
Ok, i've gotten familiar with dbeaver. The userID matches the username, so far - so good. Sorry for spamming. |
It is endeed some sort of writing error. |
User25 has a copy of User35's data. The records have different 'modified' timestamps, but one of the users might have renamed the 2fa-account causing this. |
Do you know if You should also look at the 2FAuth logs (see the With |
This is all i have regarding the mentioned users: I am pretty sure that i fiddled around with that setting, way back when I was just fooling around :) We converted from 'native users' to SSO after creating a few test-users, which were then deleted afterwards. |
How did you proceed?
|
Sign up. /Mobile |
Version
Latest
Details & Steps to reproduce
We are experiencing some odd dataleak.
Users are getting other users accounts.
Log-in/sign-up is via OpenID (KeyCloak) - and when a user logs in he doesn't get his own 2fa-accounts but rather someone elses, it doesn't seem systematic.
I have disabled nginx proxys cache function but that hasn't fixed the issue.
Tried without cookies (chrome reset) and the problem persists.
rather odd and rather desturbing :)
Expectation
That users had their own account-data.
Error & Logs
No response
Execution environment
No response
Containerization
Additional information
No response
The text was updated successfully, but these errors were encountered: