Tinyauth OIDC TOTP Bypass Vulnerability

A vulnerability in Tinyauth's OIDC authorization endpoint prior to version 5.0.3 allows users with a TOTP-pending session to obtain authorization codes. This issue arises because the endpoint does not properly verify TOTP completion, enabling an attacker who knows a user's password to bypass two-factor authentication and acquire valid OIDC tokens. The vulnerability is present in versions prior to 5.0.3.

Impact

Exploitation of this vulnerability allows for a complete bypass of TOTP-based two-factor authentication, enabling an attacker to obtain OIDC tokens for a user without knowing their TOTP secret. This affects all applications relying on Tinyauth's OIDC provider for authentication.

Reproduction

To reproduce this vulnerability, log in to a Tinyauth instance with a user account that has TOTP enabled, using only the password and not completing the TOTP verification. This will create a session marked as TOTP-pending. Then, use the session cookie to request an OIDC authorization code. Finally, exchange the authorization code for access and ID tokens. The response will include tokens for the user, demonstrating the bypass of TOTP verification.

Remediation

Users should update to Tinyauth version 5.0.3 or later, where this vulnerability has been fixed.