Wp-calypso: Security: when 2FA is disabled I can still reset via SMS

Created on 29 Mar 2017 · 6Comments · Source: Automattic/wp-calypso

Steps to reproduce:

Start at https://wordpress.com/me/security/two-step
Enable Two-Step Authentication (2FA).
Disable 2FA.
Lot out and to reset the account password using SMS.

Result: it's possible to reset via SMS because we don't delete the mobile number when 2FA is disabled.

With 2FA disabled (and no recovery SMS number set) password resets should be done via email only.

/hat tip @vortfu for the report (internal ref: p14908088198266170-triage)

Code ref: /trunk/wp-content/mu-plugins/account-recovery.php?r=152585#991

Security [Pri] High [Type] Bug

Source

designsimply

Most helpful comment

@GeoJunkie A reset email is also sent to the user, and is mentioned on the SMS form (albeit not in the most obvious text):

screen shot 2018-03-13 at 11 27 34 am

kwight on 13 Mar 2018

👍2

All 6 comments

This issue has been marked as stale because it hasn't been updated in a while. It will be closed in a week.
If you would like it to remain open, can you please you comment below and see what you can do to get things moving with this issue?
Thanks! 🙏

stale[bot] on 11 Jan 2018

bump

vortfu on 11 Jan 2018

In progress: d10756-code

kwight on 7 Mar 2018

I have had this issue come up again, and it's causing worse problems. When a user has a stuck 2FA code like this, they're unable to use the password reset link as it will send an SMS to the old number, as well.

Steps to reproduce:

Add 2FA via SMS to an account.
Remove 2FA from the account (the user RC will still show the Account Recovery number).
Go to https://en.wordpress.com/wp-login.php?action=lostpassword
Enter the email address for the account that no longer has 2FA.

The Lost Password form will send an SMS and ask the user for the code which, if they no longer have that phone, they won't be able to access.