Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009

Vulnerability

Overview

The Authenticator Login module for Drupal, which enables two-factor authentication via QR codes and authenticator apps, contains a missing authorization vulnerability. The module fails to properly protect its custom paths, allowing one user to access a different user's two-factor configuration without proper permission checks [2]. This issue affects versions before 2.0.6.

Exploitation

An attacker can exploit this vulnerability through forceful browsing—simply navigating to a crafted URL that corresponds to another user's two-factor setup. No special authentication or network position is required beyond being a logged-in user on the same Drupal site. The lack of access control on these custom paths means any authenticated user can potentially view or modify another user's two-factor settings [2].

Impact

Successful exploitation allows an attacker to access another user's two-factor authentication configuration. This could lead to bypassing the intended second factor for that user, compromising account security. The impact is critical as it undermines the core security feature the module provides [2].

Mitigation

The vulnerability is patched in Authenticator Login version 2.0.6. Users on the 1.0.x branch (now unsupported) or 2.0.x branch should upgrade to 2.0.6 or later. The 2.1.x branch is not affected. No workarounds are mentioned; upgrading is the recommended action [2].