The required feature described as a wish
Description: The 2FA input is defined as type="password". Password managers treat it like a regular password field, so they may save or autofill the 2FA code. This can overwrite the stored password and lock the user out of their account. The field was likely set this way to hide the Static PIN from bystanders or during screen sharing.
Affected Components: Management UI
Impact: Password managers may replace saved passwords with 2FA codes. This can lock users out and lead them to choose weaker passwords or store them insecurely.
Steps to Reproduce:
- Log in to the CloudStack Management UI with a user that has 2FA enabled.
- Enter valid credentials and continue to the 2FA screen.
- Inspect the 2FA input field in the browser’s developer tools.
- Confirm it is set to type="password".
Recommended Remediation: Change the 2FA input field to type="number" and add autocomplete="one-time-code". This informs password managers of the field's actual meaning.
Also, consider combining the password and 2FA into a single form. This way, attackers can’t tell which part failed, making password attacks harder.
The required feature described as a wish
Description: The 2FA input is defined as type="password". Password managers treat it like a regular password field, so they may save or autofill the 2FA code. This can overwrite the stored password and lock the user out of their account. The field was likely set this way to hide the Static PIN from bystanders or during screen sharing.
Affected Components: Management UI
Impact: Password managers may replace saved passwords with 2FA codes. This can lock users out and lead them to choose weaker passwords or store them insecurely.
Steps to Reproduce:
Recommended Remediation: Change the 2FA input field to type="number" and add autocomplete="one-time-code". This informs password managers of the field's actual meaning.
Also, consider combining the password and 2FA into a single form. This way, attackers can’t tell which part failed, making password attacks harder.