Vikunja TOTP Brute-Force Vulnerability Due to Inactive Account Lockout Mechanism

A vulnerability in Vikunja, an open-source task management platform, allows unlimited brute-force attempts against Time-based One-Time Password (TOTP) codes. This issue arises from a database transaction handling bug that prevents the TOTP failed-attempt lockout from functioning properly. In versions prior to 2.3.0, when a TOTP validation fails, the login handler calls 'HandleFailedTOTPAuth' and then rolls back the database session, undoing the lockout status that should have been applied after 10 failed attempts. As a result, the lockout mechanism fails to persist, leaving accounts vulnerable to repeated TOTP code entry attempts.

Impact

Exploitation of this vulnerability allows attackers to bypass TOTP two-factor authentication by brute-forcing 6-digit codes. After exceeding 10 failed attempts, the intended account lockout does not occur, enabling continued attempts to guess TOTP codes. While there is a per-IP rate limit of 10 requests per minute, an attacker can distribute attempts across multiple IPs to circumvent this limitation.

Reproduction

To reproduce this vulnerability, log in to Vikunja and enable TOTP for a user account. Afterward, send 11 failed login attempts using incorrect TOTP codes. The account will not be locked, allowing for continued TOTP code entry. This vulnerability can be automated with a script that exploits the TOTP validation process, taking advantage of the lack of a persistent lockout.

Remediation

Users can update to Vikunja version 2.3.0, which fixes the TOTP lockout mechanism by ensuring that lockout status changes are properly committed to the database, rather than being rolled back after a failed TOTP validation.