Published On: 08 Nov 2019
Broken Authentication in Two Step Verification
Privacy/Authentication
Avira | Web
Certificate
MEDIUM VALIDThis is my third finding in Avira, this bug is a broken authentication flow in their Two Step Verification System.
Description
Avira supports multiple users to enter one common phone number for all and enable the Two Step Verification using the same single phone number. The bug I found was denying the users from logging in after they enter the code that is received to the number even if the code is correct. I also found another bug where I was able to bypass the two step verification process and login to these accounts without entering the passcode. (This bug is not fixed yet).
Impact
Multiple users can't be able to login to their accounts if the two step verification is enabled on these accounts using a common phone number.
Reproduction Steps
Step
1
User 1 login and go to Two-step verification section and enter the above phone number.
Step
2
User 2 login and do the same as step 1.
Step
3
Two codes sent to my phone number.
User 1 enters the first code received.
User 2 enters the second code received.
Step
4
The Two step verification is enabled Now.
Both users log out.
Step
5
User 1 try to login, a code sent to the phone number, user enters it and login ( Login Failed )
User 2 try to login, a code sent to the phone number, user enters it and login ( Login Failed )
Videos