Capgo - Improper 2FA Enforcement Logic via Team Security Settings

An attacker who already holds a role with permission to manage team or organization security settings navigates to the security settings page and toggles the 'Require 2FA for all team members' option while their own account has no 2FA enabled. The backend accepts the policy change without first verifying that the initiator has enabled 2FA on their own account [ref_id=1]. This allows a privileged user to enforce a security policy they themselves do not follow, weakening the overall security posture and potentially locking out team members who are forced into 2FA while the admin remains weakly protected [ref_id=1].

The advisory recommends requiring admins to enable 2FA before they can enforce org-wide 2FA, adding backend validation for the initiator's 2FA status, and enforcing hierarchical security rules [ref_id=1]. No patch diff is included in the bundle, so the exact code changes are not visible; however, the remediation logic would involve adding a check that rejects the policy-change request if the requesting user's account does not have 2FA enabled. This closes the authentication logic flaw by ensuring that the same security standard applied to team members is also met by the administrator.

Log in as a user with permission to manage team security settings. Ensure your own account does NOT have 2FA enabled. Navigate to team or organization security settings. Enable 'Require 2FA for all team members.' The platform allows enabling team-wide 2FA without requiring the admin to enable their own 2FA first [ref_id=1].