-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue: twofactor_totp disabled during upgrade w/o any explicit warning #10573
Comments
GitMate.io thinks possibly related issues are #4200 (E-Mail notification "sharebymail" function), #1716 (Notification E-Mail all 30 mins), #6204 (e-mail notifications for activities are not received ), #8523 (Resharing a password protected folder by e-mail leads to an error and incorrect notifications), and #3596 (Email notifications for pending upgrades). |
Should I downgrade to have my security-related inconvenience back? |
@oddmean there is bug that prevents the app from showing. But it actually is available for 14 see: https://apps.nextcloud.com/apps/twofactor_totp Beta3 on thursday will have this all fixed and sorted out. |
@rullzer thank you! But there maybe should be some flag for security related aps causing them not being disabled automatically and|or causing upgrade procedure to show EVIL WARNINGS everywhere. |
@oddmean we actually improved for 14 the 2FA state. (before they were stateless). This should make sure that after 14 all your states of your providers is stored in the DB as well. Protecting your account even if an app got somehow disabled. |
@rullzer nevertheless isn't it strange when the essential security concept (2FA) is just missed in a security/privacy aimed software's workflow. Maybe some flag (even a binary one) should be added as an app's property (esprcially for official ones) to stop instances' admins just before they do potentially really wrong things w/o any knowledge of what they really do ("It's just a new version of NC! Let me find out all those cool new features myself and then look at changelog" So I am too). |
I've installed twofactor_totp 1.5.0 but nothing still works as expected. I've tried to login via Firefox's "Private window", Firefox started in a new LXC nonprivileged container, Chromium. All the same: it's enough to enter the correct password fnd no prompting for OTP. |
Beta3 is released. |
Works like a charm, thank you! |
Steps to reproduce
1.5 Log in as X being prompted for TOTP and entering it
2.5 See no warnings about 'twofactor_totp' (be lazy enough to wathch through the detailed log)
The text was updated successfully, but these errors were encountered: