Dataleak

[lurendrejer]

Version

Latest

Details & Steps to reproduce

We are experiencing some odd dataleak.
Users are getting other users accounts.

Log-in/sign-up is via OpenID (KeyCloak) - and when a user logs in he doesn't get his own 2fa-accounts but rather someone elses, it doesn't seem systematic.
I have disabled nginx proxys cache function but that hasn't fixed the issue.
Tried without cookies (chrome reset) and the problem persists.

rather odd and rather desturbing :)

Expectation

That users had their own account-data.

Error & Logs

No response

Execution environment

No response

Containerization

• Docker

Additional information

No response

[lurendrejer]

Clearing the 2fauth cache didn't solve the issue either.
Theres no duplicate user-ids or anything like that in the userlist.

[Bubka]

Hi,

Does this happen specifically when multiple users use the same shared device ? Or does each user have their own device?
When the "ghost" accounts are visible, do they completely replace the accounts of the currently logged in user? Or are they merged?
When the "ghost" accounts are visible, do they persist if the page is refreshed (using F5)
Is the autolock feature enabled?

Thx

[lurendrejer]

No shared devices.
They replace, completely.
Yes, refresh logout, clean browser on different device.

I don't know what the autolock feature is, sorry.

/Sorry for short, on mobile atm :)

[lurendrejer]

The user with userID 25, gets the codes from user35.
And the user with ID 21, get the codes from user15.

I don't know if that helps - there might be other mishabs, that i just haven't heard from yet, they only need 2fa once per week (which will make my next monday i living hell :) )

[Bubka]

Every user uses SSO? Is SSO Only enabled in the admin panel?

When did the problem start? Right after an update or a specific event?

[lurendrejer]

no, the admin-user can still select non-sso login.
it seemed to hit randomly, when we hit around 35 users.

User 25 gets the passcodes from user35 that was just created.

[lurendrejer]

Sorry, "enable SSO" and "SSO Only" is enabled.
administrators can still select non-sso login (i guess thats always the case)

Signup is disabled, except for SSO logins

[lurendrejer]

I updated to the last version after discovering the problem, came from 5.4.0.

[lurendrejer]

Can i access the database somehow?
To check if the problem is from reading the wrong data or writing the wrong data?

[Bubka]

User 25 gets the passcodes from user35 that was just created.

I guess this is what you see when you visit the UI. Does the database reflect this? In other words, do the records in the twofaccounts table that should belong to user id 35 have user_id = 25

[lurendrejer]

I guess that answers my last question, is there an internal browser in the web-app or should I acquire postgres skills to check this out?

[Bubka]

is there an internal browser in the web-app or should I acquire postgres skills to check this out?

No in-app browser.
How did you deploy the container? by yourself? using something like portainer or any other app manager?

[lurendrejer]

Portainer (docker compose)

[lurendrejer]

It must be a 'reading' or 'copying' issue, one user seems to have gotten a copy of another users codes.
But can still add his own.
The headscratching is in overdrive right now....

[Bubka]

The 2FAuth image uses sqlite by default. You previously mentioned postgres so I guess you have a postgres instance that is bound to the 2FAuth container. You don't have any UI to access your postgres data?!

[lurendrejer]

yes, i have the psql prompt - I can probably get there pretty quick (a few hours)
I just thought that the data would be encryptet anyhow.

Should i try to get it to return all the rows?
Posting them here might be a bad idea though.

[Bubka]

I just thought that the data would be encryptet anyhow.

If encryption is enabled in the admin panel yes, indeed. But the user_id column is not encrypted, you can check the number of records, it could help a bit.
Can you disable encryption temporarily?

[lurendrejer]

i've gotten this far....
i don't know how to "select from" in psql yet.

Schema | Name | Type | Owner
--------+-------------------------------+-------+----------
public | auth_logs | table | postgres
public | cache | table | postgres
public | cache_locks | table | postgres
public | groups | table | postgres
public | icons | table | postgres
public | migrations | table | postgres
public | oauth_access_tokens | table | postgres
public | oauth_auth_codes | table | postgres
public | oauth_clients | table | postgres
public | oauth_personal_access_clients | table | postgres
public | oauth_refresh_tokens | table | postgres
public | options | table | postgres
public | password_resets | table | postgres
public | sessions | table | postgres
public | twofaccounts | table | postgres
public | users | table | postgres
public | webauthn_credentials | table | postgres
public | webauthn_recoveries | table | postgres

[lurendrejer]

Can i disable encryption without losing data?

[lurendrejer]

All the users only have one 2fa-account, the number of rows might not be that much of an indicator in my setup.

[lurendrejer]

Encryption is not enabled, yay :)
Never checked the box apparantly.

[lurendrejer]

I'll fiddle around with installing some postgres-web-admin-thingie later tonight, my head is already spinning from the PSQL commandline.

[lurendrejer]

I installed dbeaver and have connected to the database... im still lost, sorry.

[lurendrejer]

Ok, i've gotten familiar with dbeaver.

The userID matches the username, so far - so good.

Sorry for spamming.

[lurendrejer]

It is endeed some sort of writing error.
UserID25's data is 'gone' and contains a different users data.

[lurendrejer]

User25 has a copy of User35's data.
Same 'Secret', 'LegacyURI' and 'Account'

The records have different 'modified' timestamps, but one of the users might have renamed the 2fa-account causing this.

[Bubka]

Do you know if AUTHENTICATION_GUARD could has been changed to reverse-proxy-guard (even temporarily) in the env vars?

You should also look at the 2FAuth logs (see the 2fauth\storage directory).
If you have set LOG_LEVEL=info, then every time a 2fa account is created a log entry is added under this form: TwoFAccount ID #XX created for user ID #YY

With LOG_LEVEL=notice (the default value) you will find less data. Check any lines containing User ID #25 or User ID #35, it may help to understand what leads to the situation.

[lurendrejer]

This is all i have regarding the mentioned users:
[2024-12-03 06:13:55] production.NOTICE: User ID #21 cannot view twofaccount ID #27
[2024-12-03 06:19:52] production.NOTICE: User ID #21 cannot view twofaccount ID #27
[2024-12-03 06:22:39] production.NOTICE: User ID #21 cannot view twofaccount ID #36
[2024-12-05 08:07:39] production.NOTICE: User ID #25 cannot view twofaccount ID #39
[2024-12-05 08:07:42] production.NOTICE: User ID #25 cannot view twofaccount ID #39

I am pretty sure that i fiddled around with that setting, way back when I was just fooling around :)

We converted from 'native users' to SSO after creating a few test-users, which were then deleted afterwards.

[Bubka]

We converted from 'native users' to SSO

How did you proceed?
Like so?

1. Sign up with email (say [email protected]) & password on 2FAuth
2. Enable SSO
3. Logout from 2FAuth
4. Sign in with SSO using a Keycloak account registered with [email protected]

[lurendrejer]

Sign up.
Weeks of general use.
Export 2fa accounts.
Delete account.
Signin with keycloak.
Import 2fa.

/Mobile