Bypassing Authentication: A Critical Flaw in Basecamp’s
1 min read
Summary
Security researcher fuzzsqlb0f has discovered a serious account takeover flaw on project management software Basecamp.
The Basecamp authentication flaw allows an attacker who has already acquired a user’s password to continue to access the account even after the password has been changed, as the system fails to revoke all authentication tokens upon a password change, meaning old one-time password (OTP) backup codes can be used to bypass two-factor authentication (2FA).
The vulnerability has been confirmed by a former hacker bounty program participant.
The discovery highlights the serious risks posed by lax implementation of password and 2FA protection.
Users are advised to activate 2FA and maintain unique, complex passwords for all accounts.
Basecamp has awarded the researcher $5,000 for disclosing the flaw.