[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Unauthorized MFA Code Delivery in EmpowerID

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Unauthorized MFA Code Delivery in EmpowerID
From: "Patel, Nirav" <Nirav.Patel@xxxxxxxxxxxxx>
Date: Wed, 26 Jul 2023 21:17:15 +0000

 Severity: High



Description:



An identified security flaw is present in EmpowerID versions V7.205.0.0 and 
prior versions, causing the system to mistakenly send Multi-Factor 
Authentication (MFA) codes to unintended email addresses. To exploit this 
vulnerability, an attacker would need to have access to valid and breached 
login details, including a username and password.

This vulnerability's root cause lies in insufficient verification of previously 
registered MFA during the process of delivering MFA codes. A bad actor 
possessing the correct login details for an EmpowerID user account can abuse 
this weakness by changing the email address associated with the user's account 
to an alternate one under their control. Consequently, the MFA codes that 
should be sent to the legitimate user are instead delivered to the malicious 
party's email.

By successfully taking advantage of this vulnerability, an attacker could 
circumvent MFA safeguards and potentially gain unpermitted access to the 
victim's account. Such a security breach could enable unauthorized activities, 
data breaches, or the exposure of confidential information within the impacted 
EmpowerID system.



Affected Versions:

  *   EmpowerID versions V7.205.0.0 and earlier.



Actions Performed:



EmpowerID has released a patch to version V7.205.0.1 and older versions, which 
addresses this vulnerability. EmpowerID has contacted customers which are known 
to use EmpowerID's MFA. It is highly recommended that all customers upgrade to 
the latest version immediately to mitigate the risk, or contact EmpowerID for 
patch details.





[signature_889433285]<http://empowerid.com/>
   Nirav Patel

   [signature_1232658466]    
nirav.patel@xxxxxxxxxxxxx<mailto:nirav.patel@xxxxxxxxxxxxx>
   [signature_1909062425]    www.empowerID.com<http://empowerid.com/>

   [signature_729000866] <http://www.youtube.com/user/empowerID>   
[signature_2001009733] <https://twitter.com/EmpowerID>   [signature_1070999265] 
<https://www.facebook.com/220903377569>   [signature_679156352] 
<https://www.linkedin.com/company/85780>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] Pentest Paper - Introduction to Web Pentest
Next by Date: [FD] CVE-2023-28130 - Hostname injection leads to Remote Code Execution RCE (Authenticated)
Previous by thread: [FD] Pentest Paper - Introduction to Web Pentest
Next by thread: [FD] CVE-2023-28130 - Hostname injection leads to Remote Code Execution RCE (Authenticated)
Index(es):
- Date
- Thread