cancel
Showing results for 
Search instead for 
Did you mean: 

Lack of protection against admin 2FA code brute-force

0 Kudos

Lack of protection against admin 2FA code brute-force

There is no limit on the number of unsuccessful guesses made when submitting a 2FA code, this increases the chance for a user to correctly guess a voucher code using scripting or automation.

It is possible that users of the site may successfully discover valid code through brute force guessing. The application offers no mechanism to restrict the number of code attempts to mitigate this attack. 

We should add a limit for the unsuccessful guesses in the 2FA module.