Summary
MFA backup codes are returned in the API response body with no mechanism to ensure they are only shown once. Anyone who intercepts the response has permanent access to the account.
Affected File
services/auth-service/index.js:842-861
Root Cause
// MFA setup returns backup codes in plain text
res.json({
success: true,
backupCodes: generatedCodes // Printed once, but no "shown only once" enforcement
});Backup codes are designed to be one-time-use recovery codes. Best practice requires:
- Showing them to the user exactly once
- Requiring the user to confirm they've saved them (e.g., "I've saved my backup codes")
- Never returning them again via API
Impact
- If an attacker intercepts the MFA setup response, they have permanent backup codes
- Backup codes stored in browser history, proxy logs, or API monitoring tools
- User cannot rotate backup codes without disabling and re-enabling MFA
- No confirmation that user actually saved the codes
Fix Required
- Add a "shown once" flag in the database
- Never return backup codes after the initial setup
- Require user confirmation before completing MFA setup
- Add a separate API endpoint for rotating backup codes with re-authentication
Summary
MFA backup codes are returned in the API response body with no mechanism to ensure they are only shown once. Anyone who intercepts the response has permanent access to the account.
Affected File
services/auth-service/index.js:842-861Root Cause
Backup codes are designed to be one-time-use recovery codes. Best practice requires:
Impact
Fix Required