View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006154SOGoWeb Preferencespublic2025-10-17 10:562025-10-20 12:56
ReporterChristian Mack Assigned Toqhivert  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Platform[Server] LinuxOSDebianOS Version11 (Bullseye)
Product Version5.12.5 
Summary0006154: TOTP secret is not changed after disabling --> reenabling
Description

The TOTP secret is not deleted by disabling 2FA in webinterface PReferences.
Therefore you can not change your secret at all.

Steps To Reproduce

1) Login to SOGo webinterface with username + password only.
2) Open Preferences in SOGo webinterface.
3) Enable 2FA in SOGo webinterface.
4) Scan QR code (== secret) with TOTP app or device.
5) Copy TOTP code from app or device to verification field.
6) Store your change.
7) Logoff
8) Login again with username + password + TOTP code.
==> 2FA works correct.

9) Open Preferences.
10) Disable 2FA.
11) Store your change.
12) Logoff
13) Login again with username + password only.
==> 2FA disabling seems to works.

14) Open Preferences.
15) Enable 2FA again.
16) Do not scan the QR-Code with your TOTP app or device.
17) Copy TOTP code from app or device to verification field.
18) Store your change.
==> This should not work, as you did not scan the secret!!!!
Obviously the secret was not deleted by disabling 2FA.

Additional Information

Scenario 1:
You lose your TOTP device. For added security you want to change your SOGo TOTP secret.

Scenario 2:
An attacker intercepts your username + password.
After logging in he activates 2FA.
Therefore you are logged out.
After changing your password and disabling 2FA, you activate 2FA yourself, but you will get the same secret as the attacker already has!

TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2025-10-17 10:56 Christian Mack New Issue
2025-10-20 12:56 qhivert Assigned To => qhivert
2025-10-20 12:56 qhivert Status new => assigned