Oppsie, I did it again

Not going to name names, but another large software company that offers an RMM tool just had their 2FA bypassed by yours truly, and it was on accident during my trial of their “pushy salespeople” program. So glad I am still in a trial on a test site. I can’t divulge too many details and I won’t on their company name (they are in the top 3-4) until I can confirm it not being by accident tomorrow. But hey, the senior sales guy told me 110% that their remote “TakeControl” software would work on my Linux stack “no problem” and it did not. Not without hacky workarounds that wind up maxing my system out 10 fold. It’s hella buggy and even though they bought it from a third party who was GFI who bought it from Hounddog, it reminds me of the same old piecemeal garbage it was back in 2009, but in fact worse.

2 Likes

Just like another vendor who blamed it all on me, a popular BDR vendor. Clearly logs and chat logs show it’s not on me. But I digress.

The reason I don’t do Windows, farm that out to those who have boocoo resources to deal with the never ending problems.

1 Like

If what you are saying is true then do a write up showing the proof of concept and file a bug report.

2 Likes

I will try and reproduce it today to make sure it wasn’t just a fluke

Seems like the issue is due to caching? So if I don’t logout manually and close the browser, at any time later I can go back to the website, click on login at the top, chose the rmm selection and enter my email. Doesn’t ask for a password and doesn’t ask for my 2fa code, straight to the RMM dashboard.

Clearly after 12 hours of not using the RMM and the browser closed, my 2fa code should have well expired a million times over.

What’s even more is that while logged in and inactive for a period of time the RMM with auto log you out and you will have to enter your email, password and 2fa code. Why wouldn’t the session expire the same way if you just closed out the browser then?

If I clear my cache it seems to work as intended.

@LTS_Tom

In that same companies other RMM, there is a session expiration timeout setting. I’m not sure if the one you’re using has that setting, but I’m curious as to what you set the time out to.