Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability exists in the tinyauth authentication server versions prior to 5.0.3. It allows an attacker who knows a user's password but not their TOTP (Time-based One-Time Password) secret to bypass the second factor of authentication entirely."}, {'type': 'paragraph', 'content': 'The issue arises because the OIDC (OpenID Connect) authorization endpoint incorrectly issues valid authorization codes to sessions where the password has been verified but the TOTP verification is still pending. This means that even without completing the second factor, an attacker can obtain valid OIDC tokens.'}, {'type': 'paragraph', 'content': 'Technically, the OIDC authorize handler does not properly check whether the user has completed TOTP verification and mistakenly treats TOTP-pending sessions as fully authenticated, allowing the attacker to exchange authorization codes for valid access, ID, and refresh tokens.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can have severe impacts because it allows attackers who have obtained a user's password (through phishing, credential stuffing, or breaches) to completely bypass two-factor authentication (2FA)."}, {'type': 'paragraph', 'content': 'By bypassing the second factor, attackers can impersonate legitimate users and gain unauthorized access to systems and sensitive data protected by tinyauth with OIDC clients configured.'}, {'type': 'paragraph', 'content': 'This undermines the security benefits of multi-factor authentication, increasing the risk of data breaches, unauthorized actions, and potential compromise of user accounts.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your tinyauth server version is prior to 5.0.3 and by testing whether the OIDC authorization endpoint issues authorization codes to sessions that have only completed password verification but not TOTP.

A practical detection method involves attempting to log in with a valid username and password to obtain a TOTP-pending session cookie, then using that cookie to request an OIDC authorization code. If the authorization code is issued without completing TOTP, the system is vulnerable.

Suggested commands (assuming access to the server and API endpoints):

• 1. Perform login via POST /api/user/login with username and password to receive a session cookie indicating TotpPending: true.
• 2. Use the received session cookie to send a request to the OIDC authorization endpoint to request an authorization code.
• 3. Attempt to exchange the authorization code at POST /api/oidc/token for access tokens without submitting TOTP.

If these steps succeed in obtaining valid tokens without TOTP, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the tinyauth server to version 5.0.3 or later, where the vulnerability has been fixed by enforcing proper TOTP verification before issuing OIDC authorization codes.

Until the upgrade can be performed, consider restricting access to the OIDC authorization endpoint or disabling OIDC clients temporarily to prevent exploitation.

Additionally, monitor for suspicious activity such as authorization codes being issued without completed TOTP verification and review logs for unauthorized token exchanges.

Useful 0 Not Useful 0