Drupal.org hopes to deploy two-factor-authentication to enhance the security of the site. This tool will help to ensure that accounts with advanced permissions are only used by the intended individual. The Two Factor Authentication module for Drupal tfa was originally built by Growing Venture Solutions, has been dramatically enhanced to work for Acquia, and is being made “drupal.org-ready” with support from CARD.com.

To help test the security of the module, CARD.com is sponsoring a security bounty of up to $500 with organizing help from Drupal Security Team members Michael Hess, Ben Jeavons and Greg Knaddison.

Target Site Setup

There is a Drupal 7 site http://live-tfatest.gotpantheon.com/ which has the latest code for TFA and TFA Basic.

The site has the Security Review and follows all its advice. The site is also running the paranoia module to limit what can be done after logging in.

There is an administrator account with the username admin and password admin. This account has two-factor-authentication setup using a TOTP. The account has several trusted browsers and has a set of recovery codes.

The homepage is “node/1” and lists out anyone who has successfully exploited the site (the list is empty at the time this was posted)

Suggestions and scope for exploiting the issue

We are specifically looking for testing of the Two-factor authentication system including its use of time-based one time passwords, trusted browsers, or one-time-use recovery codes

Social engineering attacks are out of scope

There is flood-control in place per IP address that will lock out an IP after a few attempts.

Man-in-the-middle or other theoretical vulnerabilities that require sniffing a session or gaining access to a previously logged in computer are out of scope.

You can download the code used on the site at TFA 7.x-2.x-dev and TFA Basic 7.x-1.x-dev. We encourage you to set up your own site and review the code itself to help identify vulnerabilities.

Brute force attacks will be considered, but are considered lower priority. See note below.

Vulnerabilities in Drupal core that allow a researcher to achieve the proof of exploit (below) are in scope.

Proof of exploit

Have bypassed TFA or otherwise gained an authenticated session on the site Edit the front page to add some information to indicate you have compromised the account (your name, a link, etc.). Submit the details of the exploit via the (https://bugcrowd.com/card) issue tracker. Any vulnerabilities will be released in coordination with the Drupal Security Team policies. Submitting the issue to Bugcrowd lets us easily give bounties to researchers worldwide. Send a copy of the report sent to bugcrowd to security@drupal.org

Note on brute-force attacks

Given that the module allows 6 attempts per hour per IP address, it is likely that you can brute force a TOTP code (1,000,000 combinations) for some amount of money that is likely above the bounty for this exercise, but low enough to make it generally feasible in a targeted attack on a high value target. Discussion of this issue is happening at drupal.org issue queue for tfa. For the purposes of this bounty, a brute-force attack is in scope if it leverages a weakness in this specific TFA implementation to use significantly fewer resources than is generally required for TOTP or 7 digit recovery codes.

We would like to thank Pantheon for hosting the site for purposes of security research.

Deploying TFA to drupal.org

It is very likely that TFA will get deployed to drupal.org. The issue to track that is Deploy TFA on drupal.org which has had a lot of positive feedback. Having more confidence in the security of the module will help move that issue to resolution.