Fixed E-Mail TFA leaks email address

[Kirby]

Affected version

2.2.12

This is most likely "Working as designed" but in the case the design is questionable

TFA is meant to protect the account (and sensitive data within it), but unfortunately emai TFA displays the following message when triggered:

An email has been sent to <b>{email}</b> with a single-use code. Please enter that code to continue.

In case of an unauthorized access to the account (by an attacker that only has username and password) this leaks the users email address - effectively giving the attacker more data to work with.

I therefore think the email address should not be shown (at least not in full).

 

[briansol]

yeah, a nice obfuscation like

ki***y@mail.com would be better

 

[Wildcat Media]

Could the phrase be edited as a (temporary) fix? I would say something like "A single-use code has been sent to the email address on file for this account." Or like other sites say, "If this email address is on file, we will send a single-use code to continue logging in to the site."

 

[Kirby]

Could the phrase be edited as a (temporary) fix?

Yes you can modify the phrase and remove the email address placeholder.

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.13).

Change log:

Avoid leaking the email address linked to an account that is using email two-step verification

There may be a delay before changes are rolled out to the XenForo Community.

 

[Ludachris]

yeah, a nice obfuscation like

ki***y@mail.com would be better

I think this would be idea. That way, the user can use the hint to confirm the email address with the admins if necessary.