Broken Access Control on 2FA Disable

TaintedPort

Back to App
Vuln ID TP-020 Title Broken Access Control on 2FA Disable Severity high Type Broken Access Control HTTP Method POST URL /auth/2fa/disable Parameter user_id Filename - Code Location backend/api/controllers/AuthController.php line 328

Description

The 2FA disable endpoint accepts an optional user_id parameter. An attacker can disable any user's 2FA by providing their user_id.

Proof of Concept

{"user_id": 3, "password": "mypassword"} to disable admin 2FA.

Remediation

Always use the authenticated user's ID.