-
Bug
-
Resolution: Done
-
Critical
-
RH-SSO-7.6.1
-
False
-
None
-
False
-
OTP used in concurrent session, Logging in different browsers and at the same time entered same OTP and it is accepted by application.
By not "burning" a previously used TOTP, devise-two-factor allows a narrow window of opportunity (aka the timestep period) where an attacker can re-use a verification code.
OTP used in concurrent session, Logging in different browsers and at the same time entered same OTP and it is accepted by application. By not "burning" a previously used TOTP, devise-two-factor allows a narrow window of opportunity (aka the timestep period) where an attacker can re-use a verification code. -
-
Customer is able to reproduce the issue with TOTP even in the latest version of RH SSO 7.6.1.
As suggested in SSOSUP-392
issue is fixed in Keycloak 20 https://github.com/keycloak/keycloak/issues/13607
Can we back port this for RH SSO 7.6.1?
