[C-8] totp_secret leaked via GDPR exportData()

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 1 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: CRITICAL

Location: src/Controllers/AccountController.php:715-718

Bug: SELECT * from users, only password_hash is unset — totp_secret flows into the JSON download.

Fix: Whitelist columns or explicitly unset totp_secret, remember_token, and the sessions section.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:28pm

Resolved.

Rewrote AccountController::exportData() (src/Controllers/AccountController.php) to stop selecting * from users.

The query is now an explicit column whitelist that excludes:

  • password_hash
  • totp_secret
  • totp_last_step
  • remember_token
  • banned_until, suspended_until, suspension_reason, is_shadow_banned
  • mandatory_2fa_setup_deadline
  • any future sensitive column (safer by default)

Also tightened the sessions block: instead of the raw session id (the actual cookie value), the export now contains a SHA-256-derived session_fingerprint so users can distinguish rows without the export becoming a live-session dump.

Also resolves M-20 (sessions.id in GDPR export) — closing that thread alongside this one.

Locking this thread.

Related Discussions

[M-20] sessions.id (raw cookie value) included in GDPR export
Security Issues · 0 replies · 2 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy