A patch has been issued to resolve flaw that led to passwords being exposed ‘potentially forever’
The developer of a plugin designed to improve the security of Django installations through two-factor authentication (2FA) has released a patch to resolve a bug that could compromise user credentials.
The plugin, Django Two-Factor Authentication, is built on top of the one-time password framework – django-otp – and the django.contrib.auth authentication framework.
The app is designed to provide 2FA functionality through calls, SMS messages, and both software and hardware-based token generators.
Developer Bouke Haarsma released the first version of the software in 2012 on GitHub. While the exact size of the user base is unknown due to the bolt-on being an open source project, the plugin is popular and accounts for 846 GitHub stars and 261 forks at the time of writing.
Tracked as CVE-2020-15105, Django Two-Factor Authentication version 1.11 and below are subject to a serious – and somewhat ironic – vulnerability that stores the user’s password in clear text during sessions.
When a user submits their username and password, the password is automatically stored, to be removed only once a 2FA code has been submitted.
However, as the vulnerability’s advisory reads, “this means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user begins the login process by entering their username and password, and then leaves before entering their two-factor authentication code”.
The vulnerability is deemed high-severity, and if Django’s default database session storage is enabled, in the worst-case scenarios, passwords are stored without any encryption or protection in the database.
If signed cookie session functions are in play, however, then user passwords are stored in plain text within a browser’s cookie vault.
While users can implement a workaround by simply switching Django’s storage setup from database or cache-based to signed cookies, this change may introduce its own set of security ramifications.
Instead, it is recommended that users of the Django Two-Factor Authentication plugin upgrade their builds as soon as possible. The latest version of the software, 1.12, resolves the vulnerability.
In addition, it is important to remember that patching against the bug does not automatically resolve the plain text password storage that has already occurred.
Credentials will need to be purged from existing databases – as well as their backups – and if a data breach has been suspected while utilizing the framework, passwords should also be changed to stop any abuse.
Nick Catalano, Sage Weil, and Ben Weissmann were credited with the vulnerability report.
The Daily Swig has reached out to the developer with additional queries and will update when we hear back.