PT-2020-16365 · Mit Scratch · Scratchverifier
Kenny2Github
+1
·
Published
2020-11-20
·
Updated
2020-12-09
·
CVE-2020-26236
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
ScratchVerifier versions prior to commit a603769
Description
An attacker can hijack the verification process to log into someone else's account on any site that uses ScratchVerifier for logins. The exploitation involves the following steps:
- User starts the login process.
- Attacker attempts login for the user and is given the same verification code.
- User comments on the code as part of their normal login.
- Before the user can, the attacker completes the login process now that the code is commented.
- The user gets a failed login, and the attacker now has control of the account. This issue primarily affects users who comment on the code and then take several seconds before finishing the login.
Recommendations
For ScratchVerifier versions prior to commit a603769, update to a version that includes the fix, as commit a603769 starting a login twice will generate different verification codes, causing both user and attacker login to fail.
As a temporary workaround, consider completing the login process as soon as possible after commenting the code to minimize the risk of exploitation.
Restrict access to the verification process to trusted users only until the issue is resolved.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Scratchverifier