1. Kratos TOTP Security Flaw: Client-Side Counter Allows Brute-Force Attack on 2FA
A critical security vulnerability in the Kratos identity management system allows attackers to bypass two-factor authentication (2FA) protections. The flaw resides in the current TOTP (Time-based One-Time Password) login challenge, which uses a client-controlled cookie to track failed verification attempts. Because the...