Keycloak took 10 months to fix a 2FA bypass

Earlier this year, while working on a client’s source-assisted application and architecture assessment, my colleague Ema and I took a closer look at Keycloak, a solution for Open Source Identity and Access Management. Surprisingly, we discovered a security issue that allowed an attacker to bypass two-factor authentication with just a username and password. We reported the vulnerability and engaged in a detailed communication timeline with the developers. Additionally, we identified multiple security issues in authentication and authorization endpoints, highlighting significant risks. Keycloak’s response time to these issues raised concerns about the timely mitigation of critical security flaws. For more details and advisories, visit the provided links.

https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system/

To top