NoSQL Injection in the accounts-2fa package

A security bug affecting the newest core package, accounts-2fa, requires your attention.

Meteor developers already using this package should be aware of a recently discovered security vulnerability. This only applies to apps that used the package with Meteor 2.7, and it is fixed in 2.7.1. Also, only users that already have 2FA enabled could be affected by the vulnerability.

Description

One of our core developers, Zodern, found and reported a NoSQL Injection problem in the function .has2faEnabled, one of the new methods exposed by the package accounts-2fa. This function received anything as a parameter and used it to do a query in the user collection, meaning that data could be extracted, but just for users with 2FA enabled.

Verification

The vulnerability would allow things like being able to check if 2FA is enabled for any user, getting a list of all users that have 2FA enabled, getting data from a user’s document if they had 2fa enabled, or doing a denial of service attack on the Mongo database.

So the first thing you may want to check is if you have any user in your database that has 2FA enabled. This query should fetch those users:

db.users.find({ "services.twoFactorAuthentication.type": "otp" })

If this query doesn’t return anything, you don’t need to worry. Just go to the Applying the solution to your app part.

But in case it does, you may want to check if the vulnerability was exploited. One way to do it is to verify if the method has2faEnabled was called a very large number of times. In order to extract any information, this method would have to be called many times.

Solution

The solution for this was pretty simple. As this function was always meant to be used with a logged user, all we had to do was stop receiving a selector and use Meteor.user() instead.

Applying the solution to your app

If you’re already using this package, make sure to update your Meteor version to 2.7.1 with meteor update --release 2.7.1. The package’s versions should now be 2.0.1. You can check that on .meteor/versions.

Credit

Meteor believes in responsible disclosure of security vulnerabilities. We respect the hard work of security researchers who privately notify us with vulnerability details and appreciate the time they provide us time to address and resolve vulnerabilities prior to disclosing them publicly.

Credit for the discovery of this vulnerability goes to Zodern , who reported this issue to Meteor.

Please contact security@meteor.com to report a vulnerability in Meteor.

7 Likes

Why doesn’t Meteor have a system for rewarding security researchers? Merely acknowledging doesn’t really help out in the long run.

It’s weird that it proudly touts unavailability of bounty program!

We don’t have any bounty program.

Maybe hackerone or bugcrowd, Meteor has a page on hackerone but seems to be lacking.

3 Likes

In my opinion, there should be a specific reward for security reporters.
This is a completely logical and economical task

2 Likes

Thanks, @harry97 and @saeeed for your input! We’ll definitely look into a bug bounty program for Meteor :slightly_smiling_face:. I believe it will be great to reward our fellow devs for the hard work they put into Meteor :comet:.

As for the Meteor hackerone page, I think it’s old cause it’s the first time I’m discovering it - but let me look into it!

2 Likes